CVE-2026-43985 Tautulli CVE debrief

Who should care

Administrators of Tautulli installations, particularly those using versions prior to 2.17.1, should be aware of this vulnerability and take immediate action to update their installations.

Technical summary

The `configUpdate` endpoint in Tautulli versions prior to 2.17.1 is vulnerable to cross-site request forgery (CSRF) attacks. The endpoint does not enforce `POST` requests and lacks anti-CSRF tokens. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password.

Defensive priority

High

Recommended defensive actions

• Update Tautulli to version 2.17.1 or later.
• Ensure administrators are aware of the vulnerability and take precautions to avoid exploitation.

Evidence notes

The vulnerability was patched in version 2.17.1. See [ref-4](https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1) and [ref-5](https://github.com/Tautulli/Tautulli/security/advisories/GHSA-v622-pmjj-gpx3) for more information.

Official resources