Arbitrary Code Execution Vulnerability in Jellyfin iOS by Jellyfin
CVE-2026-31852

10CRITICAL

Key Information:

Vendor: Jellyfin
Status: Code-quality.yml
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-31852?

The Jellyfin iOS application has a vulnerability in its GitHub Actions workflow, allowing arbitrary code execution through pull requests from forked repositories. The elevated permissions granted by this workflow pose significant risks, including repository takeover, exfiltration of sensitive secrets, and potential supply chain attacks on the Apple App Store. This vulnerability affects the overall integrity of the Jellyfin organization through possible cross-repository token usage, making it critical for repository maintainers to manage permissions carefully.

Affected Version(s)

code-quality.yml < 109217e75f38394b2f6e46e25dfe5a721203d3c8

References

https://github.com/jellyfin/jellyfin-ios/security/advisor...

x_refsource_CONFIRM

https://github.com/jellyfin/jellyfin-ios/commit/109217e75...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31852 Data

JSON