CVE-2026-40605
Path Traversal in Tautulli Leading to Arbitrary File Deletion
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | to 2.17.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the path traversal vulnerability in Tautulli impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-40605 is a path traversal vulnerability in Tautulli, a Python-based monitoring tool for Plex Media Server. It affects versions 2.17.0 and earlier. The vulnerability exists in the cache deletion API endpoint, where an authenticated user with a valid API key can manipulate the folder parameter to delete directories outside the intended cache path.
This happens because the application constructs filesystem paths using user-controlled input without proper validation, allowing attackers to traverse directories and delete arbitrary files or folders.
The vulnerability requires authenticated API access and sufficient permissions of the process running Tautulli. It has been fixed in version 2.17.1.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary data loss and service disruption by allowing an attacker to delete files and directories outside the intended cache path.
Since the attacker needs authenticated API access, the impact depends on the security of API keys and user credentials. If exploited, critical files could be deleted, potentially causing the Tautulli service or related systems to malfunction or become unavailable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if your Tautulli installation is running a vulnerable version (2.17.0 or earlier) and checking for unauthorized or suspicious API calls to the cache deletion endpoint.
Since exploitation requires authenticated API access, monitoring API usage logs for unusual deletion requests with manipulated folder parameters can help detect attempts.
There are no specific commands provided in the resources to detect exploitation, but you can:
- Check the Tautulli version by running: `tautulli --version` or checking the application UI.
- Review API access logs for DELETE requests to the cache deletion endpoint with suspicious folder parameters.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture API traffic and filter for cache deletion endpoint usage.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tautulli to version 2.17.1 or later, where this path traversal vulnerability has been fixed.
Additionally, restrict API access to trusted users only and ensure that API keys are securely managed to prevent unauthorized access.
Monitor and audit API usage to detect any suspicious activity related to cache deletion requests.