Directory Traversal Vulnerability in Jellyfin Media Server
CVE-2026-49247
8.8HIGH
What is CVE-2026-49247?
Jellyfin, an open-source self-hosted media server, contains a directory traversal vulnerability affecting versions 10.9.0 through 10.11.10. The vulnerability arises from the handling of the Client and Version fields in the Authorization header at the POST /ClientLog/Document endpoint. By exploiting this flaw, an authenticated non-admin user can manipulate the Client field to include '../' sequences, leading Jellyfin to save log files to arbitrary paths within the file system. This presents a risk of writing malicious content to these locations under the control of the Jellyfin service user. This issue has been addressed in version 10.11.10.
Affected Version(s)
jellyfin >= 10.9.0, < 10.11.10
