CVE-2026-41167 Overview
CVE-2026-41167 is a critical SQL Injection vulnerability affecting Jellystat, a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetails and POST /api/getLibrary, enabling full read of any table in the database - including app_config, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL.
Because the vulnerable call site dispatches via node-postgres's simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via COPY ... TO PROGRAM. Under the role shipped by the project's docker-compose.yml (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive.
Critical Impact
This SQL Injection vulnerability allows authenticated attackers to escalate from data disclosure to full remote code execution on the PostgreSQL host, potentially compromising the entire server infrastructure.
Affected Products
- Jellystat versions prior to 1.1.10
- Jellystat installations using the default docker-compose.yml with PostgreSQL superuser role
- Jellyfin environments with Jellystat statistics integration
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-41167 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41167
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), representing a severe failure in input validation within the Jellystat application. The vulnerable endpoints accept user-controlled data in HTTP POST request bodies and directly concatenate this input into SQL query strings without proper sanitization or parameterization.
The attack surface is accessible to any authenticated user of the Jellystat application. Once exploited, attackers gain the ability to execute arbitrary SQL commands against the PostgreSQL database. The sensitive data at risk includes Jellystat admin credentials, Jellyfin API keys, and Jellyfin host URLs stored in the app_config table.
What makes this vulnerability particularly dangerous is the exploitation chain it enables. The use of node-postgres's simple query protocol without a parameter array permits stacked queries. This allows attackers to chain multiple SQL statements together, escalating from simple data exfiltration to leveraging PostgreSQL's COPY ... TO PROGRAM functionality for arbitrary command execution on the underlying host operating system.
Root Cause
The root cause of this vulnerability lies in the application's direct string interpolation of user-supplied request body fields into SQL query construction. Rather than using parameterized queries or prepared statements - which would properly escape and sanitize input - the application concatenates raw user input directly into SQL strings.
The node-postgres library supports parameterized queries that would prevent SQL injection, but the vulnerable code paths in POST /api/getUserDetails and POST /api/getLibrary do not utilize this security feature. Additionally, the default deployment configuration grants PostgreSQL superuser privileges, eliminating any database-level privilege barriers that might otherwise limit the impact of successful exploitation.
Attack Vector
The attack vector is network-based, requiring only authenticated access to the Jellystat web application. An attacker with valid credentials (even low-privileged) can craft malicious HTTP POST requests to the vulnerable API endpoints.
The exploitation flow involves sending a specially crafted JSON payload to either /api/getUserDetails or /api/getLibrary endpoints. The malicious SQL payload embedded in the request body is then interpolated into the SQL query and executed by the database. Initial exploitation allows data exfiltration from any database table, while advanced exploitation uses stacked queries with COPY ... TO PROGRAM to execute arbitrary system commands on the PostgreSQL server host.
For technical details on the specific vulnerable code patterns and exploitation techniques, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-41167
Indicators of Compromise
- Unusual or malformed HTTP POST requests to /api/getUserDetails or /api/getLibrary endpoints containing SQL syntax characters such as single quotes, semicolons, or UNION keywords
- PostgreSQL log entries showing COPY ... TO PROGRAM commands or unexpected query patterns
- Unexpected outbound network connections from the PostgreSQL server or container
- Unauthorized access or modifications to the app_config table or other database tables
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in POST request bodies targeting Jellystat API endpoints
- Enable PostgreSQL query logging and monitor for suspicious query patterns including stacked queries and COPY ... TO PROGRAM usage
- Deploy endpoint detection and response (EDR) solutions such as SentinelOne Singularity to identify command execution originating from PostgreSQL processes
- Review application access logs for repeated failed authentication attempts followed by successful access to vulnerable endpoints
Monitoring Recommendations
- Configure alerting on PostgreSQL audit logs for queries accessing the app_config table from unexpected sources
- Monitor for process spawning from the PostgreSQL service or container, particularly shell processes or network utilities
- Implement network segmentation monitoring to detect lateral movement attempts from compromised Jellystat or PostgreSQL hosts
- Enable real-time log correlation across web application, database, and host-level logs to identify multi-stage attack patterns
How to Mitigate CVE-2026-41167
Immediate Actions Required
- Upgrade Jellystat to version 1.1.10 or later immediately to apply the security fix
- Audit PostgreSQL database access logs for evidence of SQL injection attempts or data exfiltration
- Rotate all credentials stored in the Jellystat app_config table, including admin credentials and Jellyfin API keys
- Review and restrict PostgreSQL user privileges - avoid running the database with superuser privileges in production
Patch Information
The vulnerability has been addressed in Jellystat version 1.1.10. The fix is available in GitHub commit 735fe7c6eb0e3e34e92a8a82fd21914d76693665. Organizations should upgrade to this version or later to remediate the SQL injection vulnerability.
For complete details on the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-fj7c-2p5q-g56m.
Workarounds
- Implement network-level access controls to restrict access to Jellystat API endpoints to trusted IP addresses only until patching is complete
- Deploy a reverse proxy with Web Application Firewall (WAF) capabilities to filter SQL injection payloads in request bodies
- Modify the PostgreSQL deployment to use a non-superuser role with minimal required privileges, reducing RCE impact if exploited
- Temporarily disable or restrict authentication to vulnerable endpoints if application functionality permits
# Example: Restrict PostgreSQL user privileges (execute as PostgreSQL admin)
# Create a new limited-privilege role for Jellystat
CREATE ROLE jellystat_app WITH LOGIN PASSWORD 'secure_password';
GRANT CONNECT ON DATABASE jellystat TO jellystat_app;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO jellystat_app;
REVOKE ALL ON FUNCTION pg_catalog.pg_read_file(text) FROM jellystat_app;
REVOKE ALL ON FUNCTION pg_catalog.pg_write_file(text, text) FROM jellystat_app;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
