Vulnerability Description
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jellyfin | Jellyfin | - |
Related Weaknesses (CWE)
References
- https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a72Patch
- https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmhVendor Advisory
FAQ
What is CVE-2026-31852?
CVE-2026-31852 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due...
How severe is CVE-2026-31852?
CVE-2026-31852 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-31852?
Check the references section above for vendor advisories and patch information. Affected products include: Jellyfin Jellyfin.