CVE-2026-31804 MEDIUM

CVE-2026-31804: Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

Vendor Tautulli
Product Tautulli
Weakness CWE-918 · SSRF
Published March 30, 2026
Last update April 1, 2026
View on NVD All CVEs

CVSS base score

4.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0.

Key dates

02Disclosure timeline

March 30, 2026 CVE published
April 1, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-7177 ChatGPTNextWeb NextChat route.ts proxyHandler server-side request forgery CVE-2026-35032 Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner CVE-2026-53827 OpenClaw < 2026.5.2 - Credential Exposure via Model-Supplied Loopback URLs in message.action Forwarding CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost CVE-2024-45479 Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost