CVE-2026-35031 Overview
CVE-2026-35031 is a critical vulnerability affecting Jellyfin, the popular open-source self-hosted media server. This vulnerability exists in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field lacks proper validation, allowing attackers to perform path traversal via the file extension and enabling arbitrary file write capabilities.
This arbitrary file write vulnerability can be chained into a devastating attack sequence: arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload manipulation.
Critical Impact
Authenticated attackers with subtitle upload permissions can achieve full system compromise, including remote code execution as root, through a sophisticated vulnerability chain exploiting inadequate input validation in the subtitle upload functionality.
Affected Products
- Jellyfin versions prior to 10.11.7
- Self-hosted Jellyfin installations with subtitle upload functionality enabled
- Systems where non-administrator users have been granted "Upload Subtitles" permission
Discovery Timeline
- 2026-04-14 - CVE-2026-35031 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-35031
Vulnerability Analysis
The vulnerability stems from improper input validation (CWE-20) in Jellyfin's subtitle upload endpoint. When users upload subtitles through the POST /Videos/{itemId}/Subtitles endpoint, the application fails to properly validate the Format field parameter, allowing attackers to inject path traversal sequences via the file extension.
This initial arbitrary file write capability serves as the foundation for a multi-stage attack chain. Attackers can leverage this flaw to write .strm files to arbitrary locations, which Jellyfin processes as media stream files. By crafting malicious .strm files, attackers can read arbitrary files from the system, including the Jellyfin database.
With database access, attackers can extract sensitive information and escalate their privileges to administrator level. The final stage of the attack chain involves writing a malicious shared library path to /etc/ld.so.preload, which is processed by the dynamic linker on Linux systems, resulting in code execution as root when any setuid binary is executed.
Root Cause
The root cause of this vulnerability is improper input validation in the subtitle upload handler. The Format field, which determines the file extension for uploaded subtitle files, is not sanitized for path traversal characters. This allows attackers to break out of the intended subtitle storage directory and write files to arbitrary locations on the filesystem.
The vulnerability specifically fails to:
- Validate that the Format field contains only expected subtitle format identifiers
- Sanitize path traversal sequences such as ../ from the file extension
- Restrict file write operations to the designated subtitle storage directory
Attack Vector
The attack requires network access to a Jellyfin instance and authentication with either an administrator account or a user account that has been explicitly granted the "Upload Subtitles" permission. The attack proceeds through the following stages:
- Initial Access: Attacker authenticates to Jellyfin with subtitle upload permissions
- Arbitrary File Write: Attacker crafts a malicious subtitle upload request with path traversal in the Format field
- File Read via .strm: Attacker writes a malicious .strm file to trigger arbitrary file read
- Database Extraction: Attacker extracts the Jellyfin database to obtain credentials and escalate privileges
- Root Code Execution: Attacker writes to /etc/ld.so.preload to achieve code execution as root
The attack exploits the subtitle upload endpoint by manipulating the Format parameter to include directory traversal sequences. For detailed technical information, refer to the GitHub Security Advisory GHSA-j2hf-x4q5-47j3.
Detection Methods for CVE-2026-35031
Indicators of Compromise
- Unexpected files appearing outside the Jellyfin subtitle storage directories
- Presence of .strm files in non-standard locations on the filesystem
- Modifications to /etc/ld.so.preload file
- Unusual database access patterns or exported database files
- Subtitle upload requests containing path traversal patterns such as ../
Detection Strategies
- Monitor HTTP requests to /Videos/{itemId}/Subtitles endpoints for path traversal patterns in the Format parameter
- Implement file integrity monitoring on critical system files, particularly /etc/ld.so.preload
- Review Jellyfin application logs for unusual subtitle upload activity or error messages related to file operations
- Deploy web application firewall rules to detect and block path traversal attempts in API parameters
Monitoring Recommendations
- Enable detailed logging for the Jellyfin subtitle upload functionality
- Configure alerts for file write operations outside expected directories
- Monitor user permission changes, especially grants of "Upload Subtitles" permission
- Implement network-level monitoring for unusual patterns of API requests to the subtitle endpoint
How to Mitigate CVE-2026-35031
Immediate Actions Required
- Upgrade Jellyfin to version 10.11.7 or later immediately
- Audit user accounts and remove "Upload Subtitles" permission from non-administrator users where possible
- Review server logs for any signs of exploitation attempts
- Check /etc/ld.so.preload and other critical system files for unauthorized modifications
Patch Information
The Jellyfin development team has addressed this vulnerability in version 10.11.7. The fix implements proper validation of the Format field in the subtitle upload endpoint, preventing path traversal attacks.
- Fixed Version: 10.11.7
- Release Information: GitHub Release v10.11.7
- Security Advisory: GHSA-j2hf-x4q5-47j3
Workarounds
- If immediate upgrade is not possible, restrict "Upload Subtitles" permission to trusted administrator accounts only
- Implement network-level access controls to limit who can reach the Jellyfin API
- Deploy a web application firewall with rules to block path traversal patterns in request parameters
- Consider running Jellyfin in a containerized environment to limit the impact of filesystem-based attacks
# Verify Jellyfin version after upgrade
jellyfin --version
# Expected output: 10.11.7 or higher
# Check for unauthorized modifications to ld.so.preload
cat /etc/ld.so.preload
# This file should typically be empty or non-existent
# Review user permissions in Jellyfin
# Navigate to: Dashboard > Users > [User] > Permissions
# Ensure "Upload Subtitles" is only granted to trusted administrators
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
