CVE-2026-35032
SSRF and Local File Read in Jellyfin LiveTV Tuner Endpoint
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jellyfin | jellyfin | to 10.11.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Jellyfin versions prior to 10.11.7 in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts). The tuner URL is not properly validated, which allows an authenticated user to perform local file reads using non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs.
Because the EnableLiveTvManagement permission defaults to true for all new users, any authenticated user can exploit this. An attacker can add an M3U tuner pointing to a server they control, which serves a crafted M3U file containing a channel that points to the Jellyfin database. This allows the attacker to exfiltrate the database, extract admin session tokens, and escalate their privileges to admin.
The issue was fixed in version 10.11.7. Users unable to upgrade immediately can mitigate the risk by disabling Live TV Management privileges for all users.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows an authenticated user to read local files on the server and perform SSRF attacks.
An attacker can exfiltrate the Jellyfin database, which may contain sensitive information such as admin session tokens. With these tokens, the attacker can escalate their privileges to admin, gaining full control over the media server.
This could lead to unauthorized access, data leakage, and potential manipulation or disruption of the media server.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Jellyfin to version 10.11.7 or later where the issue is fixed.
If upgrading is not possible right away, disable the Live TV Management privileges for all users to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Jellyfin allows an authenticated attacker to read local files and perform server-side request forgery, potentially exfiltrating the database and extracting admin session tokens. This could lead to unauthorized access to sensitive data.
Such unauthorized access and data exfiltration could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.