Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-31852 affects the GitHub Actions workflow file `code-quality.yml` in the `jellyfin/jellyfin-ios` repository. It allows arbitrary code execution triggered by pull requests from forked repositories due to the workflow's excessive permissions, which include nearly all write capabilities."}, {'type': 'paragraph', 'content': 'This means that an attacker can execute malicious code within the workflow environment, leading to severe consequences such as full takeover of the repository, exfiltration of privileged secrets, supply chain attacks on the Apple App Store, poisoning of packages in the GitHub Container Registry, and even full compromise of the Jellyfin organization through misuse of cross-repository tokens.'}, {'type': 'paragraph', 'content': 'Importantly, this vulnerability is not due to a flaw in the application code itself but arises from insecure configuration of the GitHub Actions workflows.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have critical impacts including:

• Complete takeover of the `jellyfin/jellyfin-ios` repository.
• Exfiltration of highly privileged secrets such as bot tokens and Apple App Store Connect API credentials.
• Apple App Store supply chain attacks, which could allow malicious updates to iOS apps.
• Poisoning of packages in the GitHub Container Registry (`ghcr.io`).
• Full compromise of the Jellyfin organization through cross-repository token misuse.

The vulnerability has a critical CVSS score of 10.0, indicating it is easy to exploit remotely without any privileges or user interaction, and can lead to high confidentiality, integrity, and availability impacts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from the GitHub Actions workflow configuration in the jellyfin/jellyfin-ios repository, specifically the code-quality.yml workflow that runs with elevated permissions and is triggered by pull requests from forked repositories.

Detection involves reviewing the GitHub Actions workflows in your repository to identify if the code-quality.yml workflow or similar workflows are configured to run with excessive permissions, especially if they use the pull_request_target event or allow arbitrary code execution from forked pull requests.

Since this is a workflow configuration issue rather than a network or system vulnerability, traditional network commands or system scans will not detect it.

To detect if your repository is vulnerable, you can manually inspect the workflow files in the .github/workflows directory for the presence of the code-quality.yml workflow or similar workflows that run with write permissions and are triggered by pull requests from forks.

No specific commands are provided in the resources for automated detection on your network or system.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the GitHub Actions workflows to remove or restrict the use of the pull_request_target event that allows arbitrary code execution from forked pull requests.

Specifically, the code-quality.yml workflow should be modified to reduce permissions, avoid running with nearly all write permissions, and replace the pull_request_target trigger with pull_request where appropriate.

Additionally, all relevant secrets such as JF_BOT_TOKEN and Apple App Store Connect API credentials must be rotated to prevent misuse from any previously compromised tokens.

The jellyfin/jellyfin-ios repository has already updated its workflows to modularize and secure the CI process, as seen in the separation of SonarCloud analysis into a distinct workflow with reduced permissions.

No new software version is required; mitigation relies solely on patched CI workflows and secret rotation.

Useful 0 Not Useful 0