VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-40605

CVE-2026-40605

Description

Tautulli versions prior to 2.17.1 allow authenticated users to delete arbitrary directories via the cache deletion API, causing data loss and service disruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Tautulli versions prior to 2.17.1 allow authenticated users to delete arbitrary directories via the cache deletion API, causing data loss and service disruption.

Vulnerability

A path traversal vulnerability exists in the cache deletion endpoint of Tautulli, a Python-based monitoring tool for Plex Media Server. Versions prior to 2.17.1 are affected. The delete_cache command processes a user-controlled folder parameter and constructs a filesystem path using os.path.join without validating that the input remains within the intended cache directory [2].

Exploitation

An attacker requires a valid API key and network access to the Tautulli API. The attacker must also have permissions for the Tautulli process to delete files or directories at the target path. The vulnerability is exploited by sending a GET request to the /api/v2 endpoint with the cmd parameter set to delete_cache and the folder parameter set to a path designed to traverse outside the cache directory, such as ../../../etc [2].

Impact

Successful exploitation allows an attacker to delete arbitrary directories and files that the Tautulli process has permissions to access. This can lead to significant data loss and service disruption [2].

Mitigation

Tautulli version 2.17.1, released on 2026-05-04, addresses this vulnerability [1]. Users should update to this version or later to resolve the issue. No workarounds are specified in the available references.

References
  1. Release Tautulli v2.17.1 · Tautulli/Tautulli
  2. Authenticated Path Traversal in Cache Deletion API

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Tautulli/Tautullireferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.17.1

Patches

1
da1bc23ac31b

Fix path traversal in delete cache

https://github.com/tautulli/tautulliJonnyWong16Apr 12, 2026Fixed in 2.17.1via llm-release-walk
commit
1 file changed · +6 3
  • plexpy/webserve.py+6 3 modified
    @@ -5013,18 +5013,21 @@ def download_plex_log(self, logfile='', **kwargs):
     @addtoapi()
     def delete_image_cache(self, **kwargs):
         """ Delete and recreate the image cache directory. """
-        return self.delete_cache(folder='images')
+        return self.delete_cache(images=True)
 
     @cherrypy.expose
     @cherrypy.tools.json_out()
     @requireAuth(member_of("admin"))
     @addtoapi()
-    def delete_cache(self, folder='', **kwargs):
+    def delete_cache(self, images=False, **kwargs):
         """ Delete and recreate the cache directory. """
+        folder = 'images' if images else ''
+        
         cache_dir = os.path.join(plexpy.CONFIG.CACHE_DIR, folder)
         result = 'success'
-        msg = 'Cleared the %scache.' % (folder + ' ' if folder else '')
+        msg = f'Cleared the {folder + " " if folder else ""}cache.'
         try:
+            logger.info(f'Clearing {folder + " " if folder else ""}cache...')
             shutil.rmtree(cache_dir, ignore_errors=True)
         except OSError as e:
             result = 'error'

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.