Description
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.
Published: 2026-04-14
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read and SSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in Jellyfin’s LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts). The tuner URL is not validated, allowing attackers to supply non‑HTTP paths for local file read as well as HTTP URLs that trigger Server‑Side Request Forgery. Because the EnableLiveTvManagement permission defaults to true for new users, any authenticated user can exploit this flaw. The flaw exposes the Jellyfin database, potentially leaking admin session tokens and enabling privilege escalation. The weakness is categorized as CWE‑73 (Unvalidated Path Manipulation) and CWE‑918 (Server‑Side Request Forgery).

Affected Systems

Vendors and products affected are Jellyfin. All versions older than 10.11.7 are impacted. The vulnerability has been fixed in version 10.11.7.

Risk and Exploitability

The flaw carries a CVSS score of 8.6, indicating a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not currently actively exploited in the wild. However, the attack vector is relatively simple for an authenticated user, requiring only the ability to add an M3U tuner. An attacker can create a chain by pointing a tuner to an attacker‑controlled server that serves a crafted M3U file with a channel referencing the Jellyfin database, exfiltrate that database, and then leverage extracted admin session tokens to gain administrative privileges. Because the flaw combines SSRF with local file read, the potential impact on confidentiality, integrity, and availability is significant if not mitigated promptly.

Generated by OpenCVE AI on April 14, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jellyfin to version 10.11.7 or later.
  • Disable the Live TV Management privilege for all users if an upgrade cannot occur immediately.
  • Configure firewall rules to restrict outbound HTTP/HTTPS traffic from the Jellyfin server to mitigate SSRF by allowing only trusted domains.

Generated by OpenCVE AI on April 14, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Jellyfin
Jellyfin jellyfin
Vendors & Products Jellyfin
Jellyfin jellyfin

Tue, 14 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.
Title Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner
Weaknesses CWE-73
CWE-918
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Jellyfin Jellyfin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:02:29.887Z

Reserved: 2026-03-31T21:06:06.427Z

Link: CVE-2026-35032

cve-icon Vulnrichment

Updated: 2026-04-15T18:47:25.308Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T23:16:28.660

Modified: 2026-04-23T14:03:09.853

Link: CVE-2026-35032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses