CVE-2026-43986
Deferred Deferred - Pending Action
Unauthenticated SSRF via Malicious Image Hash in Tautulli

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/<hash>` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request `/image/<hash>.png` and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-43986
EUVD
EUVD-2026-34286
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tautulli tautulli to 2.17.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43986 is a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Tautulli versions 2.17.0 and earlier.

The vulnerability allows an attacker to exploit a public endpoint `/image/<hash>` to trigger server-side requests to arbitrary URLs without authentication.

A low-privilege guest user can insert a malicious external image URL into the system's image hash lookup table. This malicious entry can then be triggered by any external user through the unauthenticated endpoint, causing the server to fetch attacker-chosen URLs.

The issue arises because guest users can create image hashes, the hash can be derived offline using disclosed server UUID and controllable parameters, and the public `/image/<hash>` route blindly trusts and replays these entries using server-side credentials.

Once the malicious hash entry exists, it persists in the database, enabling repeated exploitation.

Impact Analysis

This vulnerability can have severe impacts including unauthorized internal network access and information disclosure.

Because the SSRF occurs in an unauthenticated context that falls back to the administrator's Plex Media Server (PMS) token, an attacker can leverage this to perform actions with elevated privileges.

The CVSS score of 9.9 (Critical) reflects high impacts on confidentiality, integrity, and availability.

  • Confidentiality: Sensitive internal resources or data may be exposed.
  • Integrity: Attackers may manipulate or interfere with internal services.
  • Availability: The server or services may be disrupted by malicious requests.
Detection Guidance

Detection of this vulnerability involves identifying if your Tautulli instance is running a vulnerable version (2.17.0 or earlier) and if the public endpoint `/image/<hash>` is accessible without authentication.

You can monitor network traffic or logs for unusual or unexpected outbound HTTP requests originating from the Tautulli server, especially requests triggered by unauthenticated access to the `/image/<hash>` endpoint.

Suggested commands to detect exploitation attempts or presence of malicious entries include:

  • Use curl or wget to test the endpoint: `curl -I http://<tautulli-server>/image/<hash>.png` to see if the endpoint responds without authentication.
  • Check Tautulli logs for requests to `/image/<hash>` endpoints from unauthenticated sources.
  • Monitor outbound HTTP requests from the Tautulli server using tools like tcpdump or Wireshark: `tcpdump -i <interface> host <tautulli-server-ip> and port 80`.
  • Query the Tautulli database or configuration to identify entries in the `image_hash_lookup` table that may contain attacker-controlled URLs.
Mitigation Strategies

The immediate mitigation step is to upgrade Tautulli to version 2.17.1 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, consider disabling guest user access to prevent attackers from seeding malicious image URLs.

Restrict access to the `/image/<hash>` endpoint by implementing network-level controls or authentication mechanisms to prevent unauthenticated exploitation.

Monitor and clean the `image_hash_lookup` table to remove any malicious entries that may have been seeded.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform server-side request forgery (SSRF) that can lead to unauthorized internal network access and information disclosure. This can compromise the confidentiality and integrity of sensitive data handled by the affected system.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access and breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43986. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart