Directory Traversal Vulnerability in Jellyfin Media Server
CVE-2026-49247

8.8HIGH

Key Information:

Vendor

Jellyfin

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-49247?

Jellyfin, an open-source self-hosted media server, contains a directory traversal vulnerability affecting versions 10.9.0 through 10.11.10. The vulnerability arises from the handling of the Client and Version fields in the Authorization header at the POST /ClientLog/Document endpoint. By exploiting this flaw, an authenticated non-admin user can manipulate the Client field to include '../' sequences, leading Jellyfin to save log files to arbitrary paths within the file system. This presents a risk of writing malicious content to these locations under the control of the Jellyfin service user. This issue has been addressed in version 10.11.10.

Affected Version(s)

jellyfin >= 10.9.0, < 10.11.10

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.