{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31804", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.913Z", "datePublished": "2026-03-30T19:42:09.704Z", "dateUpdated": "2026-04-01T18:22:21.837Z"}, "containers": {"cna": {"title": "Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-qj2f-4c4p-wv97", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-qj2f-4c4p-wv97"}, {"name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}], "affected": [{"vendor": "Tautulli", "product": "Tautulli", "versions": [{"version": "< 2.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:42:09.704Z"}, "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0."}], "source": {"advisory": "GHSA-qj2f-4c4p-wv97", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:21:32.105200Z", "id": "CVE-2026-31804", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:22:21.837Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31804", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.913Z", "datePublished": "2026-03-30T19:42:09.704Z", "dateUpdated": "2026-04-01T18:22:21.837Z"}, "containers": {"cna": {"title": "Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-qj2f-4c4p-wv97", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-qj2f-4c4p-wv97"}, {"name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}], "affected": [{"vendor": "Tautulli", "product": "Tautulli", "versions": [{"version": "< 2.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:42:09.704Z"}, "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0."}], "source": {"advisory": "GHSA-qj2f-4c4p-wv97", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:21:32.105200Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:21:42.311Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Antes de la versi\u00f3n 2.17.0, el endpoint /pms_image_proxy acepta un par\u00e1metro 'img' proporcionado por el usuario y lo reenv\u00eda al transcodificador /photo/:/ transcode de Plex Media Server sin autenticaci\u00f3n y sin restringir el esquema o el host. El endpoint est\u00e1 intencionalmente excluido de todas las comprobaciones de autenticaci\u00f3n en webstart.py, cualquier valor de 'img' que comience con HTTP se pasa directamente a Plex, esto hace que el proceso de Plex Media Server, que normalmente se ejecuta en el mismo host o red interna que Tautulli, con acceso al espacio de direcciones RFC-1918, emita una solicitud HTTP saliente a cualquier URL especificada por el atacante. Este problema ha sido parcheado en la versi\u00f3n 2.17.0."}], "id": "CVE-2026-31804", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:21.517", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-qj2f-4c4p-wv97"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tautulli", "source": "cna", "vendor": "Tautulli"}, "product": "tautulli", "vendor": "tautulli"}], "analysis": {"en": {"generated_at": "2026-03-30T20:20:37.702054+00:00", "value": {"mitigation_remediation": ["Upgrade Tautulli to version 2.17.0 or later.", "Restrict access to the /pms_image_proxy endpoint by removing it from public URLs or applying firewall rules that block unauthenticated requests.", "If an upgrade is not immediately possible, temporarily disable outbound network access from the Plex Media Server to prevent unintended requests.", "Implement input validation so that only HTTPS URLs from approved domains are accepted if customizing the endpoint."], "summary": {"action": "Immediate Patch", "impact": "SSRF that enables arbitrary outbound requests via Plex Media Server"}, "threat_synthesis": {"affected_systems": "All installations of the Tautulli monitoring application running a version earlier than 2.17.0 are susceptible. The issue has already been patched in the 2.17.0 release, so any instance using a release prior to that date should be updated to address the flaw.", "description_and_impact": "The vulnerability exists in Tautulli\u2019s /pms_image_proxy endpoint, which accepts a user\u2011supplied img parameter and forwards the value to Plex Media Server\u2019s /photo/ transcode endpoint without authentication or restricting the scheme or host. This omission allows an unauthenticated client to instruct the Plex server, which runs on the same host or internal network as Tautulli, to make an outbound HTTP request to any address the attacker supplies. The result is a classic server\u2011side request forgery that can expose internal resources, reach private networks, or facilitate credential harvesting from other services.", "risk_and_exploitability": "With a CVSS score of 4.0, the flaw is classified as low to moderate severity. Although no EPSS score is available, the lack of authentication and the ability to reach arbitrary hosts mean the vulnerability is exploitable by anyone with access to the Tautulli web interface. Because it is not listed in the CISA KEV catalog, there is no confirmed wide\u2011scale exploitation reported, yet the potential for internal reconnaissance makes precautionary action advisable."}}}}, "created": "2026-03-30T20:55:06.163841+00:00", "updated": "2026-03-31T20:40:19.213600+00:00", "vendors": ["tautulli", "tautulli$PRODUCT$tautulli"]}