Server-Side Request Forgery and Local File Read in Jellyfin Media Server
CVE-2026-35032

8.6HIGH

Key Information:

Vendor: Jellyfin
Status: Jellyfin
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-35032?

Jellyfin, an open-source self-hosted media server, has a vulnerability in its LiveTV M3U tuner endpoint. This flaw allows local file reads through non-HTTP paths and enables Server-Side Request Forgery (SSRF) through HTTP URLs. Any authenticated user can exploit this insecurity due to the default permission settings, which grant 'EnableLiveTvManagement' privilege to all new users. An attacker can leverage this vulnerability chain by introducing a malicious M3U tuner URL that connects to a controlled server. This crafted M3U file can link to sensitive Jellyfin database information, resulting in unauthorized access and the potential exfiltration of admin session tokens. Users are advised to upgrade to version 10.11.7 for a fix or alternatively disable Live TV Management privileges as a mitigation step.

Affected Version(s)

jellyfin < 10.11.7

References

https://github.com/jellyfin/jellyfin/security/advisories/...

x_refsource_CONFIRM

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-35032 Data

JSON