CVE-2026-49247
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
Vulnerability in Jellyfin from version 10.9.0 to 10.11.9 allows authenticated non-admin users to write arbitrary files on the server by manipulating the Client field in the Authorization header. An attacker can use ../ sequences in this field to overwrite files in any location accessible to the Jellyfin service user, with a forced .log extension.
Risk Assessment
Risk includes overwriting critical configuration files or scripts, potentially leading to privilege escalation, malicious code execution, or permanent server damage.
Recommendation
Immediately update Jellyfin to version 10.11.10, which contains the fix for this vulnerability. Until the update, restrict API access to untrusted users.
Original NVD description (English source)
Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.

