iOS RCE (CVE-2026-31852)

Overview

A critical security flaw has been identified in the GitHub Actions workflow configuration for the official Jellyfin iOS application repository. This vulnerability, tracked as CVE-2026-31852, is not a flaw in the Jellyfin media server software itself, but a misconfiguration in the automated build and testing pipeline for its iOS client. It poses an extreme risk to the project’s infrastructure and supply chain.

Vulnerability Details

The code-quality.yml GitHub Actions workflow in the jellyfin/jellyfin-ios repository is configured with excessively broad permissions. Crucially, this workflow runs automatically on pull requests, including those submitted from forked copies of the repository. Because it has nearly full write access, a malicious actor can submit a pull request containing crafted code that, when the workflow runs, executes arbitrary commands with these high-level privileges.

Potential Impact

The consequences of this vulnerability are severe due to the elevated access granted to the workflow:

• Full Repository Takeover: An attacker could gain complete control of the jellyfin/jellyfin-ios GitHub repository, modifying code or deleting it.
• Secrets Exfiltration: Highly privileged secrets (like API tokens and signing keys) stored in the repository could be stolen. This could lead to a compromise of the broader Jellyfin GitHub organization.
• Supply Chain Attacks: Stolen Apple App Store credentials could allow an attacker to publish a malicious version of the Jellyfin iOS app. Similarly, access to the GitHub Container Registry (ghcr.io) could enable poisoning of published package images, affecting all users who download them.

This type of infrastructure compromise is a primary vector for software supply chain attacks. You can read about similar incidents in our security news section.

Remediation and Mitigation

Important for End Users: This is an infrastructure vulnerability affecting the project maintainers’ development pipeline. Users of the Jellyfin media server or its iOS app do not need to take any action and no new software version is required.

Actions for Repository Maintainers:

1. Immediately Revoke Permissions: Modify the code-quality.yml workflow to use the minimum permissions required for its task. The contents permission should be set to read-only by default.
2. Restrict Trigger Events: Configure the workflow to not run automatically on pull requests from forks, or implement manual approval for such runs.
3. Rotate All Exposed Secrets: Assume all repository secrets (GITHUB_TOKEN, Apple Developer credentials, etc.) are compromised and rotate them immediately.
4. Audit Other Workflows: Review all GitHub Actions workflows across the organization for similar overly permissive configurations.

Organizations should treat CI/CD pipeline security with the same rigor as application code. For more information on protecting development environments, refer to our breach reports which often detail the fallout from such vulnerabilities.