CVE-2026-40605 PUBLISHED

Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API

Assigner: GitHub_M
Reserved: 14.04.2026 Published: 04.06.2026 Updated: 04.06.2026

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.7

Product Status

Vendor Tautulli
Product Tautulli
Versions
  • Version < 2.17.1 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
  • CWE-73: External Control of File Name or Path CWE