CVE-2026-35031

Jellyfin · Jellyfin

Jellyfin versions prior to 10.11.7 contain a path traversal vulnerability in the subtitle upload endpoint, enabling arbitrary file write and potential remote code execution.

Executive summary

A critical path traversal vulnerability in Jellyfin allows authenticated attackers with specific permissions to achieve remote code execution as root.

Vulnerability

This vulnerability involves a lack of input validation on the subtitle upload endpoint, permitting path traversal. Exploitation requires an authenticated user with administrator privileges or specific "Upload Subtitles" permissions to trigger arbitrary file writes, eventually leading to full system compromise.

Business impact

The potential for remote code execution with root-level privileges poses a catastrophic risk to the integrity and confidentiality of the media server. A successful exploit could lead to complete system takeover, unauthorized data access, and lateral movement within the network. With a CVSS score of 9.9, this vulnerability is classified as critical and demands immediate remediation.

Remediation

Immediate Action: Upgrade Jellyfin instances to version 10.11.7 or later to implement proper input validation on the subtitle upload endpoint.

Proactive Monitoring: Review access logs for suspicious POST requests to the /Videos/{itemId}/Subtitles endpoint, particularly those containing directory traversal patterns.

Compensating Controls: If immediate patching is not possible, restrict the "Upload Subtitles" permission to a limited set of trusted users to minimize the attack surface.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability, combined with the potential for root-level access, necessitates an immediate upgrade to version 10.11.7. Administrators should prioritize patching all Jellyfin instances and audit existing user permissions to ensure the principle of least privilege is strictly enforced.