CVE-2026-31799 Overview
CVE-2026-31799 is a SQL Injection vulnerability affecting Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The vulnerability exists in the /api/v2?cmd=get_home_stats endpoint, where the section_id, user_id, before, and after query parameters are passed directly into SQL queries via Python %-string formatting without proper parameterization. An attacker who possesses the Tautulli admin API key can exploit this flaw to inject arbitrary SQL commands and exfiltrate data from the Tautulli SQLite database using boolean-blind inference techniques.
Critical Impact
Authenticated attackers with admin API key access can extract sensitive data from the Tautulli database through blind SQL injection, potentially exposing user viewing history, credentials, and configuration data.
Affected Products
- Tautulli versions 2.14.2 to before 2.17.0 (for before and after parameters)
- Tautulli versions 2.1.0-beta to before 2.17.0 (for section_id and user_id parameters)
- All Tautulli installations using vulnerable API endpoints
Discovery Timeline
- 2026-03-30 - CVE-2026-31799 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-31799
Vulnerability Analysis
This SQL injection vulnerability stems from improper input validation in the Tautulli API. The /api/v2?cmd=get_home_stats endpoint accepts multiple query parameters that are incorporated directly into SQL queries without sanitization. The use of Python's %-string formatting for SQL query construction creates a classic injection point where user-supplied input becomes part of the executed SQL statement.
While the vulnerability requires the attacker to possess the Tautulli admin API key, this reduces but does not eliminate the risk. API keys can be compromised through various means including credential theft, configuration file exposure, or insider threats. Once exploited, the attacker can perform boolean-blind SQL injection to systematically extract data from the underlying SQLite database.
Root Cause
The root cause is the use of Python %-string formatting to construct SQL queries instead of parameterized queries. This coding practice violates secure development principles by treating user input as trusted SQL syntax rather than as data values. The vulnerable parameters (section_id, user_id, before, and after) are concatenated directly into the SQL string, allowing an attacker to break out of the intended query structure and inject malicious SQL commands.
Attack Vector
The attack requires network access to the Tautulli API endpoint and possession of a valid admin API key. An attacker can craft malicious requests to the /api/v2?cmd=get_home_stats endpoint with specially crafted values in the vulnerable parameters. Since this is a boolean-blind SQL injection, the attacker infers database contents by observing differences in application responses based on true/false conditions in the injected SQL. This technique allows methodical extraction of database values character by character.
The vulnerability mechanism involves injecting SQL syntax into the vulnerable parameters. When the application constructs its query using Python's %-string formatting (e.g., "SELECT * FROM table WHERE id = %s" % user_input), the attacker's input is interpreted as SQL code rather than a literal value. For detailed technical information, see the GitHub Security Advisory GHSA-g47q-8j8w-m63q.
Detection Methods for CVE-2026-31799
Indicators of Compromise
- Unusual API requests to /api/v2?cmd=get_home_stats with abnormally long or malformed parameter values
- SQL injection patterns in section_id, user_id, before, or after parameters (e.g., single quotes, UNION statements, OR conditions)
- Increased frequency of API calls from a single source attempting parameter manipulation
- Error responses or unusual timing patterns in API responses indicative of blind SQL injection probing
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in API requests
- Monitor Tautulli access logs for requests containing SQL metacharacters in query parameters
- Deploy application-layer intrusion detection to identify boolean-blind inference attack patterns
- Review API key usage logs for anomalous activity or unauthorized access attempts
Monitoring Recommendations
- Enable verbose logging for the Tautulli API to capture full request parameters
- Set up alerts for repeated failed or anomalous requests to the get_home_stats endpoint
- Monitor database query performance for unusual patterns that may indicate injection attacks
- Implement rate limiting on API endpoints to slow down automated exploitation attempts
How to Mitigate CVE-2026-31799
Immediate Actions Required
- Upgrade Tautulli to version 2.17.0 or later immediately
- Review and rotate all Tautulli admin API keys as a precautionary measure
- Audit API access logs for signs of exploitation prior to patching
- Restrict network access to the Tautulli API to trusted IP addresses where possible
Patch Information
Tautulli has addressed this vulnerability in version 2.17.0. The patch implements proper parameterized queries to prevent SQL injection through the affected parameters. Users should upgrade immediately by downloading the latest release from the official Tautulli GitHub repository. After upgrading, verify the installation is running version 2.17.0 or later through the Tautulli web interface.
Workarounds
- Restrict API access to localhost only if remote access is not required
- Implement network-level access controls (firewall rules) to limit who can reach the Tautulli API
- Use a reverse proxy with SQL injection filtering capabilities in front of Tautulli
- Disable the API entirely if not actively used by regenerating the API key and not distributing it
# Example: Restrict Tautulli to localhost only via reverse proxy (nginx)
# Add to your nginx server block configuration
location /api/v2 {
allow 127.0.0.1;
deny all;
proxy_pass http://localhost:8181;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
