CRITICAL🇵🇱 Wersja polska

CVE-2026-35031

CVSS 9.9v3.1pub. 2026-04-14upd. 2026-04-23

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.

🤖 AI Analysis
How it works

The POST /Videos/{itemId}/Subtitles endpoint does not verify the Format field, which allows path traversal through manipulation of the file extension and writing arbitrary files to the server's file system. The written file can then be read through .strm files, enabling database extraction and privilege escalation to administrator level. Finally, the attacker can write their own library to ld.so.preload, achieving remote code execution with root privileges.

Impact

An attacker can gain full control over the server, including reading arbitrary files, extracting data from the database, privilege escalation, and remote code execution as root (RCE).

Mitigation & patch

Jellyfin should be updated to version 10.11.7 or newer. If immediate update is not possible, it is recommended not to grant unprivileged users the 'Upload Subtitles' permission to reduce the attack surface.

Who is affected

Jellyfin in versions earlier than 10.11.7. Exploitation requires an administrator account or a user account with explicitly granted 'Upload Subtitles' permission.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Jellyfin

    APP
    Jellyfin
    < 10.11.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath TraversalLPE
CWE
References

Related vulnerabilities

CVE-2026-35033CRITICAL9.3PL ✓ten sam produkt

Jellyfin: odczyt dowolnych plików przez command injection w ffmpeg

CVE-2026-31852CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność RCE w workflow GitHub Actions Jellyfin iOS

CVE-2023-30627CRITICAL9.0ten sam produkt

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prio...

CVE-2026-35032HIGH8.6ten sam produkt

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain i...

CVE-2025-31499HIGH7.6ten sam produkt

Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument inject...