CVE-2026-35032

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.7

Description A flaw exists in the LiveTV M3U tuner endpoint 'POST /LiveTv/TunerHosts' where the tuner URL is not validated. This allows an authenticated user to perform local file reads via non-HTTP paths and Server-Side Request Forgery (SSRF), which is the ability to induce the server to make requests to an unintended location, via HTTP URLs. Because the EnableLiveTvManagement permission is enabled by default for new users, an attacker can add an M3U tuner pointing to a malicious server. By serving a crafted M3U with a channel pointing to the Jellyfin database, the attacker can exfiltrate the database to extract admin session tokens and escalate privileges to administrator.

Recommendations Update to version 10.11.7. As a temporary workaround, disable Live TV Management privileges for all users.