CVE-2026-31852

Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8	Patch
https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jellyfin:jellyfin:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 17:16

Updated : 2026-03-20 16:39

NVD link : CVE-2026-31852

Mitre link : CVE-2026-31852

CVE.ORG link : CVE-2026-31852

JSON object : View

Products Affected

jellyfin

jellyfin

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2026-31852", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-11T17:16:58.600", "references": [{"url": "https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."}, {"lang": "es", "value": "Jellyfin es un sistema multimedia de c\u00f3digo abierto. El flujo de trabajo de GitHub Actions 'code-quality.yml' en jellyfin/jellyfin-ios es vulnerable a la ejecuci\u00f3n de c\u00f3digo arbitrario a trav\u00e9s de solicitudes de extracci\u00f3n (pull requests) de repositorios bifurcados. Debido a los permisos elevados del flujo de trabajo (casi todos los permisos de escritura), esta vulnerabilidad permite la toma de control completa del repositorio jellyfin/jellyfin-ios, la exfiltraci\u00f3n de secretos altamente privilegiados, un ataque a la cadena de suministro de la Apple App Store, el envenenamiento de paquetes del GitHub Container Registry (ghcr.io) y el compromiso completo de la organizaci\u00f3n jellyfin a trav\u00e9s del uso de tokens entre repositorios. Nota: Esto no es una vulnerabilidad de c\u00f3digo, sino una vulnerabilidad en los flujos de trabajo de GitHub Actions. No se requiere una nueva versi\u00f3n para esta GHSA y los usuarios finales no necesitan tomar ninguna medida."}], "lastModified": "2026-03-20T16:39:05.340", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jellyfin:jellyfin:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F93B191D-575B-4255-9BB5-711F03BABB00"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}