PatchSiren cyber security CVE debrief
CVE-2026-43986 Tautulli CVE debrief
A critical vulnerability, CVE-2026-43986, was discovered in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The vulnerability has a CVSS score of 9.9 and is classified as CRITICAL. It allows a low-privilege guest user to seed a malicious external image URL into the lookup table and then trigger server-side fetches through a fully unauthenticated endpoint, effectively turning an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget.
- Vendor
- Tautulli
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Users of Tautulli versions prior to 2.17.1 should be aware of this vulnerability and take immediate action to patch their installations.
Technical summary
The vulnerability exists in the `/image/<hash>` route, which resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. This allows an attacker to fetch an arbitrary URL, potentially leading to SSRF attacks.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Tautulli version 2.17.1 or later
- Review and restrict access to the `/image/<hash>` route
- Monitor for suspicious activity on your Tautulli installation
Evidence notes
The vulnerability was patched in version 2.17.1. References: [ref-4](https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1), [ref-5](https://github.com/Tautulli/Tautulli/security/advisories/GHSA-m6j6-rc2c-8vpm)
Official resources
CVE-2026-43986 was published on 2026-06-04T16:16:38.290Z and modified on 2026-06-04T18:16:30.743Z.