CVE-2022-35909
Description
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Jellyfin.CommonNuGet | < 10.8.0 | 10.8.0 |
Affected products
2Patches
Vulnerability mechanics
Root cause
"Incorrect authorization policy on the SetRepositories endpoint allows any authenticated user to modify package repository settings."
Attack vector
An attacker with any authenticated user account can send a POST request to `/Repositories` with a crafted JSON body containing a list of repository definitions. Because the endpoint previously used the `DefaultAuthorization` policy [patch_id=1641439], it did not check for elevated (admin) privileges. This allows a low-privilege user to add, remove, or modify package repository URLs, potentially pointing the server to a malicious repository that serves compromised plugins.
Affected code
The vulnerability resides in the `Jellyfin.Api/Controllers/PackageController.cs` file. The `SetRepositories` endpoint (`POST /Repositories`) was protected only by the `DefaultAuthorization` policy, which does not require administrative privileges. The patch changes the authorization policy on this endpoint to `RequiresElevation`, ensuring only admin users can modify repository settings.
What the fix does
The fix changes the `[Authorize]` attribute on the `SetRepositories` method from `Policies.DefaultAuthorization` to `Policies.RequiresElevation` [patch_id=1641439]. This ensures that only users with administrative privileges can modify the list of package repositories. The `DefaultAuthorization` policy only requires any authenticated session, while `RequiresElevation` enforces an admin-level check, closing the privilege escalation gap.
Preconditions
- authAttacker must have an authenticated user account on the Jellyfin server (any privilege level).
- configThe Jellyfin server must be running a version prior to 10.8.0.
- networkAttacker must be able to send HTTP POST requests to the /Repositories endpoint.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qwp3-5fw3-5wgvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35909ghsaADVISORY
- docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/editghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/pull/7569/filesghsax_refsource_MISCWEB
- medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.