Vulnerability Description
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jellyfin | Jellyfin | < 10.11.7 |
Related Weaknesses (CWE)
References
- https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7ProductRelease Notes
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-35032?
CVE-2026-35032 is a vulnerability with a CVSS score of 8.1 (HIGH). Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not vali...
How severe is CVE-2026-35032?
CVE-2026-35032 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35032?
Check the references section above for vendor advisories and patch information. Affected products include: Jellyfin Jellyfin.