How to fix CVE-2026-35032?

Within 24 hours: Identify all Jellyfin instances in your environment and document their current versions. Within 7 days: Upgrade all Jellyfin installations to version 10.11.7 or later per vendor advisory. Within 30 days: Audit Jellyfin access logs for suspicious activity and review all user accounts with EnableLiveTvManagement permissions; restrict this permission to administrative users only.

Is Jellyfin affected by CVE-2026-35032?

Jellyfin media server versions before 10.11.7 contain a privilege escalation vulnerability that allows any authenticated user to gain full administrative control by exploiting a chained vulnerability involving SSRF and database access.

CVE-2026-35032

EUVD-2026-22766 HIGH

2026-04-14 GitHub_M

SSRF Jellyfin

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:56 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

patch_available

Apr 16, 2026 - 05:29 EUVD

10.11.7

Analysis Generated

Apr 15, 2026 - 01:08 vuln.today

CVSS Changed

Apr 14, 2026 - 23:22 NVD

8.6 (HIGH)

DescriptionNVD

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

AnalysisAI

Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. …

RemediationAI

Within 24 hours: Identify all Jellyfin instances in your environment and document their current versions. Within 7 days: Upgrade all Jellyfin installations to version 10.11.7 or later per vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35032 vulnerability details – vuln.today

Back

CVE-2026-35032

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

CVE-2026-35032

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code