CVE-2026-41065
Deferred Deferred - Pending Action
Remote Code Execution in Tautulli via Malicious Mako Template

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-41065
EUVD
EUVD-2026-34273
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tautulli tautulli to 2.17.1 (exc)
tautulli tautulli 2.17.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41065 is a remote code execution vulnerability in Tautulli versions 2.17.0 and earlier. It arises because fresh installations have no authentication on management endpoints, and the newsletter custom template directory feature allows setting arbitrary paths without validation. An attacker can create a newsletter agent, point the custom template directory to a malicious template hosted on an attacker-controlled SMB or NFS share, and trigger code execution via the newsletter render endpoint without any credentials. On completed installations, any admin can exploit the same chain.

Compliance Impact

The vulnerability allows remote code execution with zero credentials on fresh installs and by any admin on completed installs, potentially leading to unauthorized access and control over the Tautulli server.

Such unauthorized access and execution could result in exposure or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict controls over data confidentiality and integrity.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely as the Tautulli process user. On fresh installs, this can be done without any credentials, potentially giving full control over the affected system. On completed installs, any admin user can exploit it to run malicious code. This could lead to system compromise, data theft, or further attacks within the network.

Detection Guidance

Detection of this vulnerability involves checking if the Tautulli installation is running a version prior to 2.17.1 and whether the setup wizard has been completed. On fresh installs before setup completion, management endpoints are unauthenticated, which can be tested by attempting to access newsletter management endpoints without credentials.

Additionally, monitoring network traffic for SMB or NFS connections initiated by the Tautulli server to external shares could indicate exploitation attempts, as the vulnerability involves loading malicious Mako templates from attacker-controlled SMB or NFS shares.

Suggested commands include:

  • Check Tautulli version: `tautulli --version` or check the installed package version.
  • Test unauthenticated access to management endpoints (on fresh installs): Use curl or wget to access newsletter endpoints without credentials, e.g., `curl http://<tautulli-server>:<port>/newsletter/render`.
  • Monitor network connections for SMB (Windows) or NFS (Linux) shares: Use tools like `netstat -an | grep 445` (SMB) or `showmount -e` (NFS) to detect unusual mounts or connections.
Mitigation Strategies

The immediate mitigation step is to upgrade Tautulli to version 2.17.1 or later, as this version contains the fix for the vulnerability.

For fresh installations, complete the setup wizard promptly to enable authentication and prevent unauthenticated access to management endpoints.

Restrict network access to the Tautulli server, especially blocking SMB and NFS traffic from untrusted sources to prevent loading of malicious templates.

Review and restrict admin privileges to trusted users only, as exploitation on completed installs requires admin credentials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart