CVE-2026-41065
Deferred Deferred - Pending Action

Remote Code Execution in Tautulli via Malicious Mako Template

Vulnerability report for CVE-2026-41065, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-07-15
AI Q&A
2026-06-04
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tautulli tautulli to 2.17.1 (exc)
tautulli tautulli 2.17.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows remote code execution with zero credentials on fresh installs and by any admin on completed installs, potentially leading to unauthorized access and control over the Tautulli server.

Such unauthorized access and execution could result in exposure or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict controls over data confidentiality and integrity.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Executive Summary

CVE-2026-41065 is a remote code execution vulnerability in Tautulli versions 2.17.0 and earlier. It arises because fresh installations have no authentication on management endpoints, and the newsletter custom template directory feature allows setting arbitrary paths without validation. An attacker can create a newsletter agent, point the custom template directory to a malicious template hosted on an attacker-controlled SMB or NFS share, and trigger code execution via the newsletter render endpoint without any credentials. On completed installations, any admin can exploit the same chain.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely as the Tautulli process user. On fresh installs, this can be done without any credentials, potentially giving full control over the affected system. On completed installs, any admin user can exploit it to run malicious code. This could lead to system compromise, data theft, or further attacks within the network.

Detection Guidance

Detection of this vulnerability involves checking if the Tautulli installation is running a version prior to 2.17.1 and whether the setup wizard has been completed. On fresh installs before setup completion, management endpoints are unauthenticated, which can be tested by attempting to access newsletter management endpoints without credentials.

Additionally, monitoring network traffic for SMB or NFS connections initiated by the Tautulli server to external shares could indicate exploitation attempts, as the vulnerability involves loading malicious Mako templates from attacker-controlled SMB or NFS shares.

Suggested commands include:

  • Check Tautulli version: `tautulli --version` or check the installed package version.
  • Test unauthenticated access to management endpoints (on fresh installs): Use curl or wget to access newsletter endpoints without credentials, e.g., `curl http://<tautulli-server>:<port>/newsletter/render`.
  • Monitor network connections for SMB (Windows) or NFS (Linux) shares: Use tools like `netstat -an | grep 445` (SMB) or `showmount -e` (NFS) to detect unusual mounts or connections.
Mitigation Strategies

The immediate mitigation step is to upgrade Tautulli to version 2.17.1 or later, as this version contains the fix for the vulnerability.

For fresh installations, complete the setup wizard promptly to enable authentication and prevent unauthenticated access to management endpoints.

Restrict network access to the Tautulli server, especially blocking SMB and NFS traffic from untrusted sources to prevent loading of malicious templates.

Review and restrict admin privileges to trusted users only, as exploitation on completed installs requires admin credentials.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart