CVE-2026-35032
Published: 14 April 2026
Summary
CVE-2026-35032 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Jellyfin Jellyfin. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of validation on tuner URLs, preventing local file reads via path traversal and SSRF via arbitrary HTTP requests.
Enforces least privilege by restricting EnableLiveTvManagement permission, preventing exploitation by non-admin authenticated users as recommended in the advisory.
Remediates the vulnerability chain by applying the patch to Jellyfin version 10.11.7, eliminating the unvalidated tuner endpoint flaws.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing Jellyfin media server (via unauthenticated validation flaws in the LiveTV tuner endpoint) is directly exploited by low-privileged authenticated users to read local database files and extract admin session tokens, enabling privilege escalation to administrator level.
NVD Description
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and…
more
Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.
Deeper analysisAI
CVE-2026-35032 is a vulnerability chain affecting Jellyfin, an open-source self-hosted media server, in versions prior to 10.11.7. The issue resides in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL lacks proper validation. This enables local file reads through non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. The vulnerability is associated with CWE-73 (External Control of File Name or Path) and CWE-918 (SSRF), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Any authenticated user can exploit this vulnerability, as the EnableLiveTvManagement permission defaults to true for all new users. An attacker chains the flaws by adding an M3U tuner host pointing to a server they control, which serves a crafted M3U playlist containing a channel that targets the Jellyfin database file. This allows exfiltration of the database, from which admin session tokens can be extracted to escalate privileges to administrator level.
The vulnerability has been addressed in Jellyfin version 10.11.7. For users unable to upgrade immediately, the advisory recommends disabling Live TV Management privileges for all users. Additional details are available in the Jellyfin release notes at https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 and the security advisory at https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8.
Details
- CWE(s)