CVE-2026-35034 Overview
CVE-2026-35034 is a denial of service vulnerability affecting Jellyfin, an open source self-hosted media server. The vulnerability exists in the SyncPlay group creation endpoint (POST /SyncPlay/New), where authenticated users can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash.
Critical Impact
Authenticated attackers can cause denial of service by exhausting server memory through the SyncPlay group creation endpoint, potentially crashing the Jellyfin server and disrupting media streaming services for all users.
Affected Products
- Jellyfin versions prior to 10.11.7
Discovery Timeline
- 2026-04-14 - CVE-2026-35034 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-35034
Vulnerability Analysis
This vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), a category of weaknesses where an application fails to properly limit resource allocation, allowing attackers to consume excessive system resources. In Jellyfin's SyncPlay feature, the group creation endpoint does not enforce proper size limits on group name inputs, enabling authenticated users to submit arbitrarily large payloads.
The SyncPlay feature in Jellyfin allows multiple users to watch media content in synchronization. When creating a new SyncPlay group via the POST /SyncPlay/New endpoint, the server accepts and processes group names without validating their length. This architectural oversight allows malicious actors to craft requests with extremely large group name payloads that the server must allocate memory to store and process.
Root Cause
The root cause of CVE-2026-35034 is insufficient input validation in the SyncPlay group creation functionality. The endpoint fails to implement proper boundary checks on the group name parameter, allowing unlimited-length strings to be submitted. This missing validation enables resource exhaustion attacks where the server's memory allocation grows unbounded based on attacker-controlled input. Proper input length restrictions and memory allocation limits were not enforced prior to version 10.11.7.
Attack Vector
The attack is network-accessible and requires low-privilege authenticated access to the Jellyfin server. An attacker who has a valid user account can exploit this vulnerability by sending specially crafted HTTP POST requests to the /SyncPlay/New endpoint containing oversized group name payloads. By repeatedly creating groups with large names or submitting requests with arbitrary group IDs, the attacker can:
- Exhaust available server memory, causing performance degradation
- Lock out legitimate users from creating or joining SyncPlay groups
- Potentially trigger an out-of-memory (OOM) condition, crashing the Jellyfin process
The attack does not require user interaction and can be performed remotely over the network by any authenticated user, regardless of their privilege level within the Jellyfin installation.
Detection Methods for CVE-2026-35034
Indicators of Compromise
- Abnormally large HTTP POST requests to the /SyncPlay/New endpoint
- Rapid memory consumption by the Jellyfin server process
- Multiple SyncPlay group creation requests from a single user in short timeframes
- Jellyfin process crashes with out-of-memory errors in system logs
Detection Strategies
- Monitor Jellyfin application logs for unusual SyncPlay group creation activity
- Implement network-level inspection for HTTP requests with abnormally large payloads targeting the SyncPlay endpoints
- Configure memory usage alerts for the Jellyfin process to detect abnormal consumption patterns
- Review web server access logs for repeated POST requests to /SyncPlay/New with large content lengths
Monitoring Recommendations
- Set up process monitoring to track Jellyfin memory usage and trigger alerts when thresholds are exceeded
- Enable verbose logging for the SyncPlay module to capture detailed request information
- Implement rate limiting on API endpoints to detect and flag unusual request patterns
- Configure system-level monitoring for OOM killer events that may indicate exploitation attempts
How to Mitigate CVE-2026-35034
Immediate Actions Required
- Upgrade Jellyfin to version 10.11.7 or later immediately
- Review user accounts for any unauthorized or suspicious activity
- Implement network-level request size limits as a defense-in-depth measure
- Consider temporarily restricting access to the SyncPlay feature until patching is complete
Patch Information
This vulnerability has been fixed in Jellyfin version 10.11.7. The fix implements proper input validation on the SyncPlay group creation endpoint to prevent arbitrarily large payloads from being processed. Users should upgrade to this version or later to remediate the vulnerability.
For detailed information about the security fix, see the GitHub Security Advisory GHSA-v2jv-54xj-h76w and the Jellyfin v10.11.7 release notes.
Workarounds
- Implement a reverse proxy with request body size limits to filter oversized payloads before they reach Jellyfin
- Restrict SyncPlay functionality to trusted user accounts only
- Configure container memory limits if running Jellyfin in Docker to prevent complete system resource exhaustion
- Implement rate limiting at the network or application level for the /SyncPlay/New endpoint
# Example: Configure nginx reverse proxy with request body size limit
# Add to nginx server configuration block
client_max_body_size 1m;
# Rate limiting configuration for SyncPlay endpoint
limit_req_zone $binary_remote_addr zone=syncplay_limit:10m rate=5r/s;
location /SyncPlay/New {
limit_req zone=syncplay_limit burst=10 nodelay;
proxy_pass http://jellyfin_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
