CVE-2026-43985
CSRF in Tautulli Admin Interface via configUpdate Endpoint
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | to 2.17.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43985 is a Cross-Site Request Forgery (CSRF) vulnerability in Tautulli versions 2.17.0 and earlier. The vulnerability exists in the `/configUpdate` endpoint, which does not enforce the use of the POST method nor implement any anti-CSRF protections.
Because the administrator session cookie is set with SameSite=Lax, cross-site requests can still be made via top-level navigation. An attacker can exploit this by tricking a logged-in administrator into visiting a malicious webpage that submits a crafted request to `/configUpdate`.
This request can overwrite the local administrator username and password with attacker-controlled values. The attacker can then log in directly using these credentials and take full control of the Tautulli administrative interface.
The issue was patched in version 2.17.1.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to gain unauthorized administrative access to the Tautulli instance by exploiting a CSRF flaw that overwrites administrator credentials. Such unauthorized access can lead to exposure or manipulation of sensitive configuration data, logs, and administrative features.
Because of the potential for unauthorized access and control over sensitive information, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.
Specifically, the compromise of administrative credentials and subsequent access to sensitive data may violate requirements for data confidentiality, integrity, and accountability mandated by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP requests to the `/configUpdate` endpoint on Tautulli instances running versions prior to 2.17.1.
Since the vulnerability involves Cross-Site Request Forgery (CSRF) exploiting the lack of POST method enforcement and anti-CSRF tokens, detection can focus on identifying unexpected or unusual POST or GET requests to `/configUpdate` that change administrator credentials.
Suggested commands to detect potential exploitation attempts include using network traffic analysis tools like tcpdump or tshark to filter HTTP requests to `/configUpdate`.
- Using tcpdump to capture HTTP requests to `/configUpdate` on port 8181 (default Tautulli port):
- tcpdump -i any -A -s 0 'tcp port 8181 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/configUpdate'
- Using tshark to filter HTTP requests to `/configUpdate` endpoint:
- tshark -Y 'http.request.uri contains "/configUpdate"' -T fields -e http.request.method -e http.host -e http.request.uri
Additionally, reviewing Tautulli logs for unexpected changes to administrator credentials or sessions may help detect exploitation.
How can this vulnerability impact me? :
This vulnerability allows an attacker to gain unauthorized administrative access to the Tautulli instance by overwriting the administrator credentials.
Once compromised, the attacker can access sensitive configuration settings, logs, and administrative features.
The attackerβs access persists even after the victimβs session ends, potentially leading to a complete system compromise.
Due to its network-based attack vector, low complexity, and high impact on confidentiality, integrity, and availability, this vulnerability has a high severity score of 8.8 (CVSS v3.1).
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Tautulli to version 2.17.1 or later, which includes a patch that enforces proper HTTP method restrictions and anti-CSRF protections on the /configUpdate endpoint.
Additionally, consider invalidating existing administrator sessions and changing administrator credentials to prevent unauthorized access from previously exploited sessions.