CVE-2026-49247
Deferred Deferred - Pending Action

Path Traversal in Jellyfin Media Server

Vulnerability report for CVE-2026-49247, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
jellyfin jellyfin From 10.9.0 (inc) to 10.11.10 (inc)
jellyfin jellyfin 10.11.10

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Jellyfin versions from 10.9.0 up to 10.11.10. The POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them without sanitization as part of the filename when saving client-uploaded log documents on disk.

Because the Client field can include '../' sequences, an authenticated non-admin user can exploit this to cause Jellyfin to write attacker-controlled content to arbitrary file paths accessible by the Jellyfin service user, with a forced .log file extension.

This means an attacker can perform directory traversal to write files outside the intended directory, potentially overwriting or creating files in sensitive locations.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated non-admin user to write arbitrary files to locations on the server where Jellyfin runs.

Potential impacts include unauthorized modification or creation of files, which can lead to data corruption, service disruption, or even remote code execution if the attacker writes malicious scripts or configuration files.

The CVSS score of 8.8 indicates a high severity with high impact on confidentiality, integrity, and availability.

Mitigation Strategies

The vulnerability is fixed in Jellyfin version 10.11.10. The immediate step to mitigate this vulnerability is to upgrade your Jellyfin installation to version 10.11.10 or later.

Until the upgrade can be performed, restrict authenticated non-admin users from accessing the POST /ClientLog/Document endpoint to prevent exploitation.

Detection Guidance

This vulnerability involves the POST /ClientLog/Document endpoint accepting unsanitized Client and Version fields in the Authorization header, which can be exploited by including directory traversal sequences (../) in the Client field.

To detect attempts to exploit this vulnerability on your network or system, you can monitor HTTP POST requests to the /ClientLog/Document endpoint and inspect the Authorization header for suspicious patterns such as '../' sequences in the Client field.

Example commands to detect such attempts include:

  • Using tcpdump to capture relevant HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'POST /ClientLog/Document'
  • Using grep or similar tools on Jellyfin access logs to find suspicious Authorization headers: grep -i 'POST /ClientLog/Document' /path/to/jellyfin/logs/access.log | grep '\.\./'
  • Using a web application firewall (WAF) or intrusion detection system (IDS) to alert on directory traversal patterns in HTTP headers.

Note that no specific detection commands or tools are provided in the available resources, so these suggestions are based on the nature of the vulnerability.

Compliance Impact

The vulnerability allows authenticated non-admin users to write arbitrary content to paths accessible by the Jellyfin service user, potentially leading to unauthorized data modification or exposure.

Such unauthorized access and modification could impact compliance with standards like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart