CVE-2026-31852 is a critical security vulnerability identified in the GitHub Actions workflow file code-quality.yml within the jellyfin/jellyfin-ios repository. The vulnerability arises from improper privilege management (CWE-269) in the workflow configuration, which grants nearly all write permissions to the workflow. This misconfiguration allows an attacker to execute arbitrary code by submitting a pull request from a forked repository. Since GitHub Actions workflows run with elevated permissions, an attacker exploiting this flaw can gain full control over the jellyfin/jellyfin-ios repository. This includes the ability to exfiltrate highly privileged secrets stored in the repository or GitHub environment variables, perform supply chain attacks by injecting malicious code into Apple App Store submissions, and poison packages in the GitHub Container Registry (ghcr.io). Furthermore, the attacker can leverage cross-repository token usage to compromise the entire jellyfin organization, escalating the impact beyond a single repository. Importantly, this vulnerability is not due to a flaw in the Jellyfin application code but rather in the continuous integration and deployment (CI/CD) pipeline configuration. The vulnerability affects versions prior to commit 109217e75f38394b2f6e46e25dfe5a721203d3c8. The CVSS v3.1 score is 10.0, reflecting its critical nature with network attack vector, no required privileges or user interaction, and complete compromise of confidentiality, integrity, and availability. No patch or new software release is necessary as the fix involves adjusting GitHub Actions workflow permissions. End users are not required to take any action, but repository maintainers must update their workflow configurations to restrict permissions and prevent arbitrary code execution from untrusted pull requests.

The impact of CVE-2026-31852 is severe and multifaceted. Organizations relying on the jellyfin/jellyfin-ios repository or related projects face the risk of complete repository takeover, which can lead to unauthorized code changes, insertion of backdoors, or malicious payloads. The exfiltration of highly privileged secrets could expose sensitive credentials, tokens, or API keys, potentially compromising other integrated systems or services. The ability to perform supply chain attacks on the Apple App Store could result in malicious versions of the Jellyfin iOS app being distributed to end users, undermining user trust and causing widespread harm. Package poisoning in the GitHub Container Registry could affect containerized deployments downstream, spreading the compromise further. The cross-repository token misuse elevates the threat to the entire jellyfin organization, risking broader organizational compromise. Although no known exploits are currently in the wild, the critical severity and ease of exploitation (no privileges or user interaction required) make this a high-risk vulnerability that could be leveraged by attackers to conduct supply chain attacks, espionage, or widespread disruption. Organizations using or contributing to Jellyfin should consider the potential for indirect impact if their supply chain includes this repository.

To mitigate CVE-2026-31852, repository maintainers must immediately review and restrict the permissions granted to GitHub Actions workflows, especially those triggered by pull requests from forked repositories. Specifically, the code-quality.yml workflow should be updated to use the least privilege principle by limiting write permissions and avoiding the use of secrets or tokens in workflows triggered by untrusted contributors. Implementing GitHub's recommended best practices for workflow security, such as enabling 'pull_request_target' workflows only when necessary and avoiding exposing sensitive secrets to forked pull requests, is critical. Additionally, maintainers should consider using environment protection rules, required reviewers, and branch protection policies to reduce the risk of unauthorized workflow execution. Regular audits of CI/CD configurations and secrets management policies are advised to detect and remediate similar misconfigurations. Organizations consuming Jellyfin iOS builds should verify the integrity of builds and monitor for suspicious activity related to supply chain attacks. While no user action is required, developers and maintainers must prioritize updating workflow permissions to prevent exploitation.