Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API

5.7 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.

Basic Information

ID CVE-2026-40605

Source GitHub_M

Published Jun 4, 2026 at 12:50

Affected Product

Vendor Tautulli

Product Tautulli

Version < 2.17.1

Affected Versions Tautulli Tautulli < 2.17.1

CWE Classification

CWE-22 CWE-73

References

{
    "lastseen": "",
    "description": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.",
    "published": "2026-06-04T12:50:10.079Z",
    "modified": "2026-06-04T12:50:10.079Z",
    "type": "cve",
    "title": "Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API",
    "source": "GitHub_M",
    "references": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr\nhttps://github.com/Tautulli/Tautulli/releases/tag/v2.17.1",
    "id": "CVE-2026-40605",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-73"
    ],
    "cvelist": null,
    "sourceData": "Tautulli Tautulli < 2.17.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.7,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Tautulli",
    "version": "< 2.17.1",
    "vendor": "Tautulli",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API_CVE-2026-40605