Description
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.
Published: 2026-04-14
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Jellyfin versions prior to 10.11.7 contain a flaw in the subtitle upload endpoint where the Format field is not validated, permitting path traversal through crafted file extensions. This flaw allows an attacker to write arbitrary files on the server, which can then be leveraged to read arbitrary files via .strm chaining, extract database credentials, elevate privileges to an administrator level, and ultimately execute code as the root user through the ld.so.preload mechanism. The compromise results in full compromise of confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects the Jellyfin media server produced by the jellyfin: jellyfin vendor. Only releases earlier than 10.11.7 are impacted; version 10.11.7 and later contain the fix. The vulnerability is activated when an authenticated user possessing the "Upload Subtitles" permission accesses the POST /Videos/{itemId}/Subtitles endpoint.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. Exploitation requires authenticated access and either an administrator account or a user explicitly given the Upload Subtitles privilege. Public exposure is possible only if such a user account exists, though administrators may log in via the web interface from anywhere. The EPSS score is not available, and the CVE is not listed in the CISA KEV catalog, but the absence of mitigation does not reduce the inherent risk provided the vulnerable server is accessible.

Generated by OpenCVE AI on April 14, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jellyfin to version 10.11.7 or later, which removes the path traversal and subtitle upload flaw.
  • If upgrading is not immediately feasible, limit the "Upload Subtitles" permission to administrators only, removing or reducing it for all other users to minimize the risk of an attacker using this capability.
  • Monitor for anomalous POST requests to the subtitle upload endpoint and for suspicious file write activity, and isolate or block the server from the network if unauthorized activity is detected.

Generated by OpenCVE AI on April 14, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Jellyfin
Jellyfin jellyfin
Vendors & Products Jellyfin
Jellyfin jellyfin

Tue, 14 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.
Title Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain
Weaknesses CWE-187
CWE-20
CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Jellyfin Jellyfin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:56:06.801Z

Reserved: 2026-03-31T21:06:06.427Z

Link: CVE-2026-35031

cve-icon Vulnrichment

Updated: 2026-04-16T13:55:58.246Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T23:16:28.490

Modified: 2026-04-23T17:44:25.707

Link: CVE-2026-35031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses