Description
Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Jellyfin media server’s POST /ClientLog/Document endpoint, where the Authorization header’s Client and Version values are incorporated unsanitized into the on‑disk filename used to store uploaded log documents. An authenticated, non‑admin user can supply a Client value containing sequences such as ../ that alter the intended file path. The server then writes the supplied content to the constructed location with a forced .log extension. This flaw permits arbitrary file creation or overwrite of any file accessible to the Jellyfin service user, potentially exposing sensitive data or enabling the execution of malicious files. The impact is a loss of integrity for files within the service’s disk space and a risk of malicious payload deployment, while confidentiality is at risk if attacker‑controlled logs conceal data or contain malicious content. The weakness is classified as CWE‑22 Path Traversal.

Affected Systems

This issue affects the open‑source Jellyfin media server from version 10.9.0 up through 10.11.9, inclusive. Only users with authenticated, non‑admin permissions can exploit this behavior, as the endpoint requires Authorization for log uploads. Based on the description, it is inferred that installations on Windows and Linux running the vulnerable Jellyfin package are susceptible.

Risk and Exploitability

The recorded CVSS score of 8.8 indicates a high‑severity risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been publicly exploited in the wild. The likely attack vector is a network‑based HTTP POST request to /ClientLog/Document from an authenticated session; the Authorization header can be manipulated by the attacker to supply the malicious Client value. Exploitation requires only that the victim’s Jellyfin server be reachable and that the user have a valid, non‑admin session. An attacker could therefore use any legitimate account – such as a shared user profile – to inject files of their choosing and potentially influence the server’s runtime behavior.

Generated by OpenCVE AI on June 24, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jellyfin to version 10.11.10 or later, where the path‑traversal bug is fixed.
  • If an upgrade cannot be performed immediately, restrict or disable the /ClientLog/Document endpoint for non‑admin users by using a firewall or reverse‑proxy rule so that only privileged accounts can submit logs.
  • Modify the code or add a sanitization layer to validate or escape the Client and Version fields in the Authorization header, ensuring that only legitimate client identifiers are allowed and that path traversal sequences are rejected or sanitized.

Generated by OpenCVE AI on June 24, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Jellyfin
Jellyfin jellyfin
Vendors & Products Jellyfin
Jellyfin jellyfin

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.
Title Jellyfin: Potential Authenticated path traversal in /ClientLog/Document
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Jellyfin Jellyfin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:58.837Z

Reserved: 2026-05-28T14:33:01.178Z

Link: CVE-2026-49247

cve-icon Vulnrichment

Updated: 2026-06-25T17:09:54.877Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:15:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')