Jellyfin versions before 10.11.7 can be crashed by a malicious group name

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Jellyfin versions before 10.11.7 can be crashed by a malicious group name

CVE-2026-35034

Summary

If you're using an outdated version of Jellyfin, an attacker could potentially crash your media server by sending a very long group name. This would make it harder for others to use the service. Update to version 10.11.7 or later to fix this issue.

Original title

Original description

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash. This issue has been fixed in version 10.11.7.

nvd CVSS3.1 6.5

Vulnerability type

CWE-400 Uncontrolled Resource Consumption

Published: 14 Apr 2026 · Updated: 16 Apr 2026 · First seen: 15 Apr 2026