External risk intelligence

Attacker can take control of your Jellyfin server by exploiting Jellystat

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-41167

An internal attacker can exploit a flaw in Jellystat to steal administrative credentials and run unauthorized commands on the server. This could lead to a full system compromise and the exposure of sensitive database contents.

2Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-41167

Jellystat is a self-hosted statistics dashboard intended for monitoring private Jellyfin media servers. It is typically deployed within internal, home, or private network environments. Public internet exposure is not a standard or intended deployment pattern for this type of internal administrative tool, as it is generally accessed only by authorized users on the local network.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Jellystat allows an authenticated user to inject malicious SQL code into the application. This could lead to unauthorized access to sensitive data and potentially allow for remote code execution on the server hosting the database.

Data theft risk: Can read all database tables.
Credential compromise: Exposes admin credentials and API keys.
Remote code execution: Enables attackers to run commands on the server.

Attack Path

How an attacker could exploit the issue

An authenticated user with access to the Jellystat API could exploit this vulnerability. By sending specially crafted SQL queries through `POST /api/getUserDetails` or `POST /api/getLibrary`, an attacker can achieve read access to all database tables. This includes sensitive configuration data like admin credentials and API keys, and can be escalated to arbitrary command execution on the PostgreSQL host.

Requires authenticated user access.
Targets API endpoints.
PostgreSQL superuser role is default.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to weaponize this vulnerability for widespread exploitation. The target software, Jellystat, is a self-hosted statistics app for Jellyfin, typically deployed within private networks, and not directly exposed to the public internet. Exploitation would require authenticated access and specific deployment scenarios, making it less attractive for broad attacks compared to vulnerabilities in internet-facing services.

Requires authenticated user.
Target is not internet-facing.
No known exploit in the wild.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the CRITICAL severity and potential for remote code execution, prioritize patching Jellystat to version 1.1.10 or higher immediately. If patching is not feasible, isolate affected Jellystat instances from external networks and internal sensitive systems.

Update Jellystat to version 1.1.10.
Restrict network access to Jellystat.
Monitor logs for unusual database activity.

Frequently asked questions

What is Jellystat and its purpose?

Jellystat is a free, open-source statistics application designed for Jellyfin media servers. It assists users in monitoring and analyzing their media server usage and performance.

What type of vulnerability is CVE-2026-41167 and its weakness class?

CVE-2026-41167 represents a SQL injection vulnerability, classified as CWE-89. This allows an attacker to insert malicious SQL code through user input, potentially leading to unauthorized data access or server command execution.

How can an authenticated user exploit CVE-2026-41167?

An authenticated user can exploit this vulnerability by sending crafted SQL queries to specific API endpoints, such as POST /api/getUserDetails or POST /api/getLibrary. This allows for the disclosure of all data within database tables, including sensitive credentials and API keys.

What is the relevance of CVE-2026-41167 in the current threat landscape?

Halo Surface Signal indicates this vulnerability is unlikely to be weaponized for widespread attacks. Jellystat is typically a self-hosted tool used within private networks, not directly exposed to the internet, making broad exploitation less probable.

What steps should be taken to address CVE-2026-41167?

Given its critical severity and potential for remote code execution, it is crucial to update Jellystat to version 1.1.10 or later immediately. If an update is not possible, isolating the affected Jellystat instances from external and sensitive internal networks is recommended, alongside vigilant monitoring of database activity logs.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.