CVE-2026-31852

Published: Mar 11, 2026

Modified: Mar 11, 2026

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.

Vendor	Product	Versions
jellyfin	code-quality.yml	affected `< 109217e75f38394b2f6e46e25dfe5a721203d3c8`

Weaknesses (CWE)

CWE-269

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh

x_refsource_CONFIRM

https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31852

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References