CVE-2026-31852

CRITICAL 10.0

Jellyfin Possible Organization/Secret Compromise from dangerous CI implementation

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.

CWE	CWE-269
Vendor	jellyfin
Product	code-quality.yml
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for jellyfin code-quality.yml

Be the first to know when new critical vulnerabilities affecting jellyfin code-quality.yml are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

jellyfin / code-quality.yml

< 109217e75f38394b2f6e46e25dfe5a721203d3c8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh github.com: https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8