CVE-2026-40605
Deferred Deferred - Pending Action
Path Traversal in Tautulli Leading to Arbitrary File Deletion

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-40605
EUVD
EUVD-2026-34256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tautulli tautulli to 2.17.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the path traversal vulnerability in Tautulli impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40605 is a path traversal vulnerability in Tautulli, a Python-based monitoring tool for Plex Media Server. It affects versions 2.17.0 and earlier. The vulnerability exists in the cache deletion API endpoint, where an authenticated user with a valid API key can manipulate the folder parameter to delete directories outside the intended cache path.

This happens because the application constructs filesystem paths using user-controlled input without proper validation, allowing attackers to traverse directories and delete arbitrary files or folders.

The vulnerability requires authenticated API access and sufficient permissions of the process running Tautulli. It has been fixed in version 2.17.1.

Impact Analysis

This vulnerability can lead to arbitrary data loss and service disruption by allowing an attacker to delete files and directories outside the intended cache path.

Since the attacker needs authenticated API access, the impact depends on the security of API keys and user credentials. If exploited, critical files could be deleted, potentially causing the Tautulli service or related systems to malfunction or become unavailable.

Detection Guidance

Detection of this vulnerability involves verifying if your Tautulli installation is running a vulnerable version (2.17.0 or earlier) and checking for unauthorized or suspicious API calls to the cache deletion endpoint.

Since exploitation requires authenticated API access, monitoring API usage logs for unusual deletion requests with manipulated folder parameters can help detect attempts.

There are no specific commands provided in the resources to detect exploitation, but you can:

  • Check the Tautulli version by running: `tautulli --version` or checking the application UI.
  • Review API access logs for DELETE requests to the cache deletion endpoint with suspicious folder parameters.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture API traffic and filter for cache deletion endpoint usage.
Mitigation Strategies

The immediate mitigation step is to upgrade Tautulli to version 2.17.1 or later, where this path traversal vulnerability has been fixed.

Additionally, restrict API access to trusted users only and ensure that API keys are securely managed to prevent unauthorized access.

Monitor and audit API usage to detect any suspicious activity related to cache deletion requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart