Tautulli is affected by a critical SSRF vulnerability that allows unauthenticated attackers to perform arbitrary server-side requests.

The application exposes a public endpoint that resolves attacker-controlled image hashes, transforming an authenticated SSRF primitive into an unauthenticated SSRF gadget.

With a CVSS score of 9.9, this vulnerability poses a severe risk. Attackers can leverage the server's internal network access to interact with internal services that are otherwise unreachable from the public internet, potentially leading to sensitive information disclosure or internal service exploitation.

Immediate Action: Upgrade Tautulli to version 2.17.1 or later immediately.

Proactive Monitoring: Inspect server logs for outbound requests to suspicious external URLs or internal network segments originating from the Tautulli host.

Compensating Controls: Ensure the Tautulli host is isolated from sensitive internal network zones and implement egress filtering to restrict unauthorized outbound connections.

Public Exploit Available: false

This vulnerability is highly critical due to the ease of unauthenticated exploitation. Organizations running Tautulli must upgrade to version 2.17.1 immediately to close the SSRF vector and prevent potential internal network probing.