CVE-2026-31852

Name of the Vulnerable Software and Affected Versions Jellyfin versions (affected versions not specified)

Description Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in the jellyfin/jellyfin-ios repository is susceptible to arbitrary code execution through pull requests originating from forked repositories. The workflow possesses elevated permissions, granting nearly all write access. This allows for complete takeover of the jellyfin/jellyfin-ios repository, potential exfiltration of sensitive secrets, a possible Apple App Store supply chain attack, compromise of GitHub Container Registry (ghcr.io) packages, and full compromise of the Jellyfin organization through cross-repository token usage. This is a workflow issue, not a code-level flaw.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.