CVE-2026-35034
Denial of Service in Jellyfin SyncPlay Group Creation Endpoint
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jellyfin | jellyfin | to 10.11.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Jellyfin versions prior to 10.11.7 in the SyncPlay group creation endpoint (POST /SyncPlay/New). An authenticated user can create groups with names of unlimited size because the input is not properly validated. By sending very large payloads along with arbitrary group IDs, an attacker can cause the endpoint to become unresponsive for other clients trying to join SyncPlay groups.
This leads to a denial of service condition by significantly increasing the memory usage of the Jellyfin process, which can cause it to crash due to running out of memory.
How can this vulnerability impact me? :
The main impact of this vulnerability is a denial of service (DoS) attack against the Jellyfin media server. An attacker who is authenticated can exploit this flaw to crash the server by exhausting its memory resources.
- Legitimate users may be locked out from creating or joining SyncPlay groups.
- The server may become unstable or unavailable due to out-of-memory crashes.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Jellyfin to version 10.11.7 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Jellyfin prior to version 10.11.7 is a denial of service issue that allows an authenticated user to create groups with names of unlimited size, potentially causing an out-of-memory crash. This vulnerability impacts availability but does not affect confidentiality or integrity of data.
Since the vulnerability does not involve unauthorized access to personal data or data leakage, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal health or personal data.
However, the denial of service could affect system availability, which is a component of some compliance frameworks. Organizations relying on Jellyfin for media services should consider the risk of service disruption and apply the fixed version to maintain operational stability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the SyncPlay group creation endpoint (POST /SyncPlay/New) in Jellyfin versions prior to 10.11.7, where an authenticated user can create groups with names of unlimited size. Detection would involve monitoring for unusually large POST requests to the /SyncPlay/New endpoint.
You can detect potential exploitation attempts by inspecting web server or application logs for large payloads sent to the SyncPlay group creation endpoint.
Example commands to detect such activity might include:
- Using grep to find large POST requests in access logs: grep 'POST /SyncPlay/New' /path/to/jellyfin/access.log | awk '{print length, $0}' | sort -nr | head
- Using tcpdump or Wireshark to capture HTTP POST requests to /SyncPlay/New and analyze payload sizes.
- Monitoring Jellyfin process memory usage for unusual spikes that could indicate exploitation attempts.
Note that these are general suggestions based on the vulnerability description; no specific detection commands or tools are provided in the available information.