CVE-2026-35032 Overview
CVE-2026-35032 is a vulnerability chain affecting Jellyfin, an open source self-hosted media server. The vulnerability exists in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not properly validated. This allows attackers to perform local file read operations via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. The vulnerability is particularly dangerous because the EnableLiveTvManagement permission defaults to true for all new users, making it exploitable by any authenticated user.
Critical Impact
An attacker can chain these vulnerabilities to exfiltrate the Jellyfin database, extract admin session tokens, and escalate to full administrative privileges on the media server.
Affected Products
- Jellyfin versions prior to 10.11.7
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-35032 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-35032
Vulnerability Analysis
This vulnerability is classified under CWE-73 (External Control of File Name or Path). The core issue stems from insufficient input validation in the LiveTV M3U tuner functionality. When a user adds a new tuner host through the /LiveTv/TunerHosts endpoint, the application fails to properly validate the provided URL, accepting both local file paths and arbitrary HTTP URLs without restriction.
The vulnerability chain enables a sophisticated attack where an authenticated user can leverage the SSRF component to point the tuner to an attacker-controlled server. This malicious server can then serve a crafted M3U playlist that references the Jellyfin database file path. When the server processes this playlist, it reads the database file and transmits its contents to the attacker's server. The database contains sensitive information including admin session tokens, which can be used to escalate privileges to administrator level.
Root Cause
The root cause is the lack of URL validation in the LiveTV M3U tuner endpoint. The application does not restrict the URL scheme or validate that the URL points to a legitimate external resource. This allows:
- Non-HTTP paths to be used for local file read operations
- HTTP URLs to be used for SSRF attacks against internal or external resources
The default permission configuration (EnableLiveTvManagement: true) for all new users significantly expands the attack surface, allowing any authenticated user to exploit these vulnerabilities.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the Jellyfin instance. An attacker executes the following chain:
- The attacker authenticates to Jellyfin with any valid user account
- Using the LiveTV Management feature, the attacker adds an M3U tuner pointing to their controlled server
- The attacker's server responds with a crafted M3U playlist containing a channel entry that references the local Jellyfin database path
- When Jellyfin processes the playlist, it reads the database file as channel data
- The database contents are exfiltrated to the attacker's server
- The attacker extracts admin session tokens from the database
- Using the stolen session tokens, the attacker escalates to administrative privileges
This attack requires no user interaction and can be performed by any authenticated user with default permissions.
Detection Methods for CVE-2026-35032
Indicators of Compromise
- Unusual tuner host configurations pointing to external or suspicious URLs in the LiveTV settings
- Network traffic from the Jellyfin server to unexpected external hosts on the tuner configuration port
- Access logs showing repeated requests to the /LiveTv/TunerHosts endpoint from non-admin users
- Evidence of database file access through unusual file read operations
Detection Strategies
- Monitor API calls to the /LiveTv/TunerHosts endpoint for suspicious URL patterns including local file paths or external URLs
- Implement network segmentation rules to restrict outbound connections from the Jellyfin server
- Review user audit logs for privilege escalation events following LiveTV configuration changes
- Deploy web application firewall (WAF) rules to detect SSRF patterns in tuner URL submissions
Monitoring Recommendations
- Enable verbose logging on the Jellyfin server to capture all LiveTV tuner configuration changes
- Configure alerts for any new tuner host additions, especially those with non-standard URL schemes
- Monitor for unusual session token usage patterns that may indicate stolen credentials
- Implement file integrity monitoring on the Jellyfin database to detect unauthorized access
How to Mitigate CVE-2026-35032
Immediate Actions Required
- Upgrade Jellyfin to version 10.11.7 or later immediately
- Review all configured tuner hosts and remove any suspicious or unknown entries
- Audit user accounts for the EnableLiveTvManagement permission and disable it for users who do not require Live TV functionality
- Rotate all admin session tokens and credentials as a precautionary measure
Patch Information
Jellyfin has released version 10.11.7 which addresses this vulnerability. The patch implements proper URL validation for the LiveTV M3U tuner endpoint, preventing both local file read and SSRF attacks. Organizations should upgrade to this version as soon as possible.
For more information, see the GitHub Security Advisory GHSA-8fw7-f233-ffr8 and the Jellyfin v10.11.7 Release Notes.
Workarounds
- Disable Live TV Management privileges for all users who do not require this functionality by setting EnableLiveTvManagement to false in user permissions
- Implement network-level controls to restrict the Jellyfin server's ability to make outbound HTTP requests
- Place the Jellyfin server behind a reverse proxy with URL filtering capabilities to block suspicious tuner URLs
- Consider restricting access to the LiveTV API endpoints at the network level until patching is complete
# Configuration example - Disable Live TV Management for non-admin users
# Access Jellyfin Admin Dashboard -> Users -> Select User -> Permissions
# Uncheck "Allow Live TV Management" for all standard users
#
# For automated deployment, modify user policy settings:
# Set "EnableLiveTvManagement": false in user configuration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
