PatchSiren cyber security CVE debrief
CVE-2026-40605 Tautulli CVE debrief
CVE-2026-40605 is a path traversal vulnerability in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, an authenticated API access can delete directories outside the configured cache path, leading to arbitrary data loss and service disruption. The vulnerability has a CVSS score of 5.7 and is classified as MEDIUM severity. The issue was fixed in version 2.17.1.
- Vendor
- Tautulli
- Product
- Unknown
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Users of Tautulli version prior to 2.17.1 should update to the latest version to prevent potential data loss and service disruption.
Technical summary
The vulnerability is caused by a path traversal issue in the cache deletion endpoint of Tautulli. This allows an authenticated API user to delete directories outside the configured cache path.
Defensive priority
High
Recommended defensive actions
- Update Tautulli to version 2.17.1 or later.
- Restrict API access to trusted users and networks.
- Monitor cache directory for unauthorized changes.
Evidence notes
The vulnerability was reported and fixed by the Tautulli developers. The fix is available in version 2.17.1.
Official resources
CVE-2026-40605 was published on 2026-06-04T14:16:40.520Z and modified on 2026-06-04T16:16:36.437Z.