Executive Summary

CVE-2026-43985 is a Cross-Site Request Forgery (CSRF) vulnerability in Tautulli versions 2.17.0 and earlier. The vulnerability exists in the `/configUpdate` endpoint, which does not enforce the use of the POST method nor implement any anti-CSRF protections.

Because the administrator session cookie is set with SameSite=Lax, cross-site requests can still be made via top-level navigation. An attacker can exploit this by tricking a logged-in administrator into visiting a malicious webpage that submits a crafted request to `/configUpdate`.

This request can overwrite the local administrator username and password with attacker-controlled values. The attacker can then log in directly using these credentials and take full control of the Tautulli administrative interface.

The issue was patched in version 2.17.1.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to gain unauthorized administrative access to the Tautulli instance by exploiting a CSRF flaw that overwrites administrator credentials. Such unauthorized access can lead to exposure or manipulation of sensitive configuration data, logs, and administrative features.

Because of the potential for unauthorized access and control over sensitive information, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

Specifically, the compromise of administrative credentials and subsequent access to sensitive data may violate requirements for data confidentiality, integrity, and accountability mandated by these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP requests to the `/configUpdate` endpoint on Tautulli instances running versions prior to 2.17.1.

Since the vulnerability involves Cross-Site Request Forgery (CSRF) exploiting the lack of POST method enforcement and anti-CSRF tokens, detection can focus on identifying unexpected or unusual POST or GET requests to `/configUpdate` that change administrator credentials.

Suggested commands to detect potential exploitation attempts include using network traffic analysis tools like tcpdump or tshark to filter HTTP requests to `/configUpdate`.

• Using tcpdump to capture HTTP requests to `/configUpdate` on port 8181 (default Tautulli port):
• tcpdump -i any -A -s 0 'tcp port 8181 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/configUpdate'
• Using tshark to filter HTTP requests to `/configUpdate` endpoint:
• tshark -Y 'http.request.uri contains "/configUpdate"' -T fields -e http.request.method -e http.host -e http.request.uri

Additionally, reviewing Tautulli logs for unexpected changes to administrator credentials or sessions may help detect exploitation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to gain unauthorized administrative access to the Tautulli instance by overwriting the administrator credentials.

Once compromised, the attacker can access sensitive configuration settings, logs, and administrative features.

The attacker’s access persists even after the victim’s session ends, potentially leading to a complete system compromise.

Due to its network-based attack vector, low complexity, and high impact on confidentiality, integrity, and availability, this vulnerability has a high severity score of 8.8 (CVSS v3.1).

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Tautulli to version 2.17.1 or later, which includes a patch that enforces proper HTTP method restrictions and anti-CSRF protections on the /configUpdate endpoint.

Additionally, consider invalidating existing administrator sessions and changing administrator credentials to prevent unauthorized access from previously exploited sessions.

Useful 0 Not Useful 0