CRITICAL🇵🇱 Wersja polska

CVE-2026-31852

CVSS 10.0v3.1pub. 2026-03-11upd. 2026-03-20

Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.

🤖 AI Analysis
How it works

The vulnerability results from improper permission management (CWE-269) in the CI/CD workflow: code-quality.yml has broadly granted write permissions to the repository. An attacker can send a pull request from a forked repository whose code will be executed in the context of a privileged workflow. This enables access to organization secrets, modification of repository content, and injection of malicious code into packages published in GitHub Container Registry (ghcr.io) and distribution on the Apple App Store.

Impact

An attacker can gain full control over the jellyfin/jellyfin-ios repository, steal highly privileged secrets, infect container packages and compromise the entire Jellyfin organization through multiple use of tokens across repositories, constituting a supply chain attack.

Mitigation & patch

The vulnerability only affects GitHub Actions workflow, not application code — end users do not need to take any action. The fix was introduced by the project creators in commit 109217e75f38394b2f6e46e25dfe5a721203d3c8 in the jellyfin/jellyfin-ios repository. Administrators of similar projects should verify the permissions of their own CI/CD workflows and restrict code execution from pull requests of external forks.

Who is affected

Repository jellyfin/jellyfin-ios — GitHub Actions workflow code-quality.yml; affects the project's CI/CD infrastructure, not the end software installed by users.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Jellyfin

    APP
    Jellyfin
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECI/CDContainer
CWE
References

Related vulnerabilities

CVE-2026-35031CRITICAL9.9PL ✓ten sam produkt

Jellyfin: RCE jako root przez path traversal w endpoincie przesyłania napisów

CVE-2026-35033CRITICAL9.3PL ✓ten sam produkt

Jellyfin: odczyt dowolnych plików przez command injection w ffmpeg

CVE-2023-30627CRITICAL9.0ten sam produkt

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prio...

CVE-2026-35032HIGH8.6ten sam produkt

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain i...

CVE-2025-31499HIGH7.6ten sam produkt

Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument inject...