CVE-2026-31852

Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8	Patch
https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jellyfin:jellyfin:-:*:*:*:*:*:*:*

History

20 Mar 2026, 16:39

Type	Values Removed	Values Added
First Time		Jellyfin Jellyfin jellyfin
CPE		cpe:2.3:a:jellyfin:jellyfin:-:::::::*
References	~~() https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8 -~~	() https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8 - Patch
References	~~() https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh -~~	() https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh - Vendor Advisory
Summary		(es) Jellyfin es un sistema multimedia de código abierto. El flujo de trabajo de GitHub Actions 'code-quality.yml' en jellyfin/jellyfin-ios es vulnerable a la ejecución de código arbitrario a través de solicitudes de extracción (pull requests) de repositorios bifurcados. Debido a los permisos elevados del flujo de trabajo (casi todos los permisos de escritura), esta vulnerabilidad permite la toma de control completa del repositorio jellyfin/jellyfin-ios, la exfiltración de secretos altamente privilegiados, un ataque a la cadena de suministro de la Apple App Store, el envenenamiento de paquetes del GitHub Container Registry (ghcr.io) y el compromiso completo de la organización jellyfin a través del uso de tokens entre repositorios. Nota: Esto no es una vulnerabilidad de código, sino una vulnerabilidad en los flujos de trabajo de GitHub Actions. No se requiere una nueva versión para esta GHSA y los usuarios finales no necesitan tomar ninguna medida.

11 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 17:16

Updated : 2026-03-20 16:39

NVD link : CVE-2026-31852

Mitre link : CVE-2026-31852

CVE.ORG link : CVE-2026-31852

JSON object : View

Products Affected

jellyfin

jellyfin

CWE

CWE-269

Improper Privilege Management

10.0 /10