Plex Companion Tautulli Hit by Five Flaws (CVE-2026-43986 and More): Update to v2.17.1

Tautulli, the popular companion app that tracks viewing on the Plex media server many people run at home or in the office, has five security flaws, including one rated 9.9 out of 10 — close to the highest possible severity. The headline issue is CVE-2026-43986, which the U.S. National Vulnerability Database (NVD) scores at 9.9.

What makes this serious is that several of the flaws are reachable even without logging in. Each is dangerous on its own, but chained together they can lead to a takeover of Tautulli's admin panel or arbitrary code running on your server. The developers have already shipped a fix in Tautulli v2.17.1, released on May 4, 2026, so anyone on an older build (2.16.1 or earlier) should update promptly.

What happens, in one line

In short: there were several leftover paths that let an attacker walk straight from the guest entrance into the back of the house. Tautulli has endpoints reachable by a low-privilege "guest" user, and some reachable without logging in at all. You were not supposed to get any further from there, but missing input checks and missing identity checks let an attacker step deeper, one stage at a time.

Concretely, a single release bundled together: an attack that makes the server send requests on the attacker's behalf to peek into your internal network (CVE-2026-43986), an attack that runs the attacker's script inside the admin's screen (CVE-2026-43984), an attack that tricks the admin into rewriting settings (CVE-2026-43985), and an attack that runs arbitrary code on the server (CVE-2026-41065). That last one leads directly to a full server takeover.

What are Plex and Tautulli, anyway?

Plex lets you store the movies, shows, music, and photos you own on a home PC or NAS (network-attached storage) and stream them to your phone or TV with a Netflix-like interface. It is widely used by movie buffs and home-server enthusiasts around the world as a "build-your-own streaming service."

Tautulli, the app at the center of this story, is the "viewing logbook" you bolt onto Plex. It charts who watched what and when, how busy your connection is, and which titles are most popular, and it can email new-release newsletters to family members or push notifications when someone starts watching. It is a free, open-source app, and a staple for anyone running Plex seriously.

The problem is where Tautulli sits. To collect usage stats, it holds your Plex account information and an access key (token), and it runs inside your server and home network. People who want to check their graphs from outside often expose the Tautulli screen to the internet. "Placing a management tool that knows the inner workings of your home where outsiders can reach it" is exactly the setup that amplifies the impact of these flaws.

The essentials in one minute

Before the details, here are the key points. The checks are simple: is your Tautulli older than 2.17.1, and is its screen exposed to the internet?

A self-hosted, open-source tool turning up with several holes at once is not new. The home-network watchdog Pi.Alert's unauthenticated RCE and the company login platform authentik's multiple flaws are in the same family, sharing one trait: "a tool meant to protect you becomes the way in." Tautulli is another case of it.

When the viewing logbook becomes a foothold, here is what walks out of the house

The number "9.9" can make a home-server admin tool feel like someone else's problem, so let's start with who would actually target this hole and why. The Tautulli screen is like a guide who knows your household's habits. Once outsiders can steer that guide, it's clear who takes an interest.

The people coming for it are the operators of automated bots that scan the internet around the clock for unguarded admin panels, the residents of piracy communities who trade lists of other people's free-to-watch Plex servers, and the freeloader or ex-housemate sitting on the same Wi-Fi. What they want is not an abstract "personal information." It is your Plex login and server key, a map of which folder holds the family photos and the books you ripped yourself, the tax documents and address lists on the NAS hanging off the same network, and even your router's admin password — concrete things. The moment they reach into an endpoint that forgot to check identity, the data that used to live only inside your house starts flowing out to a stranger.

Technically, this chain is an especially bad combination. The proxied-request hole (SSRF) becomes a foothold for making Tautulli's server reach "devices that should only be visible from the inside." From their own PC the attacker can't reach your router's settings page or NAS admin panel — but through Tautulli, they can. Add the code-execution hole (CVE-2026-41065) and they can have the server load a malicious template from a share they control and run a program directly on it. The entrance is a humble "just shows you viewing graphs" tool; the exit is your entire home network.

The label "CVSS 9.9" only marks the ceiling of technical severity. For someone running Plex at home, what is really lost is access to a video collection built over years, the safety of the storage packed with family photos, and the very assumption that "my server is mine to control." More than the number, keeping that guide's keys out of a stranger's hands is the part that actually matters.

The five flaws, and why each one is dangerous

Here are the five entries from the v2.17.1 release notes, in order of severity. Each is a problem on its own, but they compound when combined.

CVE-2026-43986: making the server send requests on the attacker's behalf (severity 9.9)

This is the most serious of the five. Its formal class is CWE-918 (Server-Side Request Forgery, SSRF) — a flaw that makes the server "go and connect to a place the attacker chooses." When Tautulli handles an external image, it records that image's address in an internal lookup table. A guest-level user can seed a malicious external address into this table, and then, by hitting a separate endpoint that requires no authentication, make Tautulli start connecting to that address. An SSRF that used to require a login turns into one that works without any login at all — which is why it scores 9.9. The fix changes Tautulli to "not store the hash for external images."

CVE-2026-41065: arbitrary code execution via the newsletter feature (severity 8.9)

Tautulli can email new-release newsletters to family, and you can swap their look with your own template. The problem was that you could point the template directory at an external share (SMB share) the attacker controls. Place a malicious Mako template there, and the moment Tautulli loads it, a program runs on the server. According to NVD's description, on a freshly installed server where setup is not yet complete, this attack works without any login. This pattern of weak entry validation turning into code execution is one we've seen repeatedly, in the AI tool Langflow's unauthenticated RCE and the file-sharing service Samba's unauthenticated RCE.

CVE-2026-43984: running a script inside the admin's screen (severity 8.9)

The class is CWE-79 (Cross-Site Scripting, XSS) — the classic trick of slipping the attacker's script into a web page so it runs in someone else's browser. Tautulli has an endpoint that records front-end errors (log_js_errors) into which a guest-level user could feed arbitrary strings. Those strings were stored unprocessed, and when the admin opens the log viewer, the attacker's script runs as-is. Because it runs with the admin's privileges, it can tamper with settings or hijack the session. The fix sanitizes what gets written to the log.

CVE-2026-43985: tricking the admin into rewriting settings (severity 8.8)

The class is CWE-352 (Cross-Site Request Forgery, CSRF) — luring a logged-in admin to a trap site so an action runs without their knowledge. Tautulli's settings-change endpoint (configUpdate) lacked the mechanism (a CSRF token) that prevents this impersonation, and its method restrictions were loose. As a result, simply opening a trap page as the admin could rewrite settings including login credentials, risking a full takeover of the admin panel. The fix adds tokens and restricts settings changes to the POST method.

CVE-2026-40605: a path that can delete stored files (path traversal)

The class is CWE-22 (Path Traversal) — climbing up to folders you should not reach using relative paths like "../". Tautulli's cache-deletion feature had this gap, risking the deletion of files in unintended locations. It is a flaw that can destroy data or destabilize the system, and it too is closed in v2.17.1.

Why they all surfaced together, technically

All five share one root: "a value handed in from outside was used internally without being checked enough." The proxied-request hole took an external address, the code-execution hole took a template location, and the in-page script hole took the contents of an error log — each accepted as input a guest-level party could specify, then passed into processing without validation. The settings-rewrite hole was the inverse: it lacked the mechanism to verify where an action came from. Checking the input, and checking the identity — both basics were missing in places.

The worrying part is that these separate holes form a single intrusion path when linked. In theory: probe the internal network through the no-login endpoint (SSRF), plant a script in the log as a guest (XSS), rewrite settings while the admin opens it (CSRF), and finally run arbitrary code through the newsletter feature (RCE). Each alone has a condition — "only a guest can do it," "an admin action is required" — but combined, the conditions fill in for one another. No public proof-of-concept exists as of June 5, 2026, but the method is easy to infer from the fixes, so this is not one to be complacent about.

Cases where "a handy self-hosted tool turns out to have a cluster of authentication and authorization holes" have been especially visible lately. The way stolen keys and settings get repurposed as stepping stones into other systems is continuous with attack chains that travel through open-source components. The problem of login handling shipping half-built shows up in the analysis tool Jupyter's login-screen flaw, the single sign-on platform Casdoor's auth bypass, and the ticketing system OTRS's authorization bypass, and Tautulli joins that line.

Affected versions and the fix

Affected are Tautulli versions before v2.17.1 (2.16.1 and earlier). Fixes for all five are bundled into v2.17.1, released on May 4, 2026. The CVE numbers were published to NVD on June 4, 2026, so the vulnerability details surfaced a bit after the fixed build shipped. Because a fix already exists, the response is simple: update to the latest version.

You can get the latest build from Tautulli's GitHub releases page. If you run it in Docker, update the image to the latest stable (latest tag) and restart; if you installed it manually, use the in-app update feature or pull the source with git. Whatever the install method, once you are on v2.17.1 or later, all five holes are closed.

What to do right now

The top priority is updating Tautulli to v2.17.1 or later, which closes all five. If you cannot update immediately, the stopgap is to move the Tautulli screen out of direct reach from the internet. Specifically: if it is exposed, take it down for now, and limit access to the inside of your home or office network — close the router's port forwarding, or restrict it to a VPN or to a reverse proxy that requires authentication. Since no-login endpoints are at the center of this, simply not letting outsiders touch the endpoints at all lowers your odds of being hit.

It is also worth checking whether you have already been hit. Look for unfamiliar changes in Tautulli's settings (especially the notification and newsletter template locations and registered email addresses), and for accounts you don't recognize in the admin user list. In case of abuse, changing your Plex account password and reissuing the Plex access token that Tautulli holds will invalidate any stolen keys. How hard it is to trace things after a secret key leaks is something we covered in the home-network monitor Pi.Alert case. This vulnerability is not in CISA's catalog of vulnerabilities known to be exploited (KEV) as of June 5, 2026, but there is no reason to wait for it to be listed.

Risk check for your setup

Here are the angles for quickly judging how urgently you need to act, in order of risk. Use it to prioritize the update.

Note that "safe because I only use it at home" does not hold. The in-page script (XSS) and settings-rewrite (CSRF) holes trigger when the admin merely opens a malicious page, so even without exposure, clicking a trap link can lead to harm. As long as you run an affected version, you need to update whether or not it is exposed. A freshly installed server whose setup is unfinished is especially exposed to the no-login code execution, so finish setup quickly or keep it off-limits to outsiders until you do.

How this unfolded

Here is the timeline from the fix release to the public disclosure. The fix went out first, giving users time to update, and the CVE numbers were published afterward.

← swipe to move

Frequently asked questions

Q. I use Plex but not Tautulli. Am I affected?

A. These flaws are on the Tautulli side, so if you don't run Tautulli there is no direct impact. Note this is not a Plex vulnerability. That said, on an exposed Plex setup any bolt-on management tool — not just Tautulli — can become an unexpected entry point, so it is worth taking stock of what you have left reachable from outside.

Q. Is it safe if I only use it inside my home network?

A. It stops being the "highest" risk, but it is not safe. The in-page script (XSS) and settings-rewrite (CSRF) holes trigger when the admin merely opens an external trap page. Even without exposure, clicking a trap link can cause harm, so if you run an affected version you still need to update.

Q. I can't update right away. What is the minimum I should do?

A. Moving the Tautulli screen out of direct internet reach is the top priority. If it is exposed, take it down for now and limit access to your home network, a VPN, or an authenticated reverse proxy. Also check settings and the user list for unfamiliar changes. This only buys time; the real fix is updating to v2.17.1 or later.

Q. I heard a freshly installed server is the most dangerous. Why?

A. Because NVD states that the newsletter code execution (CVE-2026-41065) works without a login on a freshly installed server whose setup is incomplete. Leaving it reachable from outside mid-setup is when harm is most likely. When installing, finish initial setup inside your network and start on v2.17.1 or later from the outset.

References

• ▸ Tautulli v2.17.1 release notes (security fixes) (May 4, 2026)
• ▸ NVD - CVE-2026-43986 Detail (SSRF, severity 9.9)
• ▸ NVD - CVE-2026-41065 Detail (newsletter code execution)
• ▸ NVD - CVE-2026-43984 Detail (XSS)
• ▸ NVD - CVE-2026-43985 Detail (CSRF)
• ▸ NVD - CVE-2026-40605 Detail (path traversal)
• ▸ Tautulli official repository (GitHub)
• ▸ Plex official site