Jellystat SQL injection exposes admin credentials (CVE-2026-41167)

Patch now - CVE-2026-41167 is a critical SQL injection in Jellystat prior to version 1.1.10 that lets an authenticated attacker escalate from data theft to full remote code execution on the PostgreSQL host via stacked queries and superuser privileges.

Overview

A critical SQL injection vulnerability, identified as CVE-2026-41167, affects the Jellystat statistics application for Jellyfin. Versions prior to 1.1.10 contain multiple API endpoints that directly incorporate unsanitized user input into SQL queries. This flaw allows an authenticated attacker to execute arbitrary commands on the underlying database server.

Vulnerability Details

The vulnerability exists in the /api/getUserDetails and /api/getLibrary endpoints. These endpoints construct SQL queries by directly interpolating user-supplied data from the request body without proper sanitization. Because the queries are executed using a protocol that permits stacked queries, a successful SQL injection attack is not limited to data theft.

An attacker can leverage this to read all data from any table within the connected PostgreSQL database. Critically, this includes the app_config table, which stores Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL.

Furthermore, the default deployment configuration grants the database user superuser privileges. This allows the SQL injection to be escalated to full remote code execution (RCE) on the PostgreSQL host server via commands like COPY ... TO PROGRAM.

Impact

The impact of this vulnerability is severe. An attacker with a standard user account in Jellystat can:

• Steal administrative credentials for the Jellystat application.
• Compromise the integrated Jellyfin API key.
• Execute arbitrary operating system commands on the database server, leading to complete system compromise.

This could result in a total breach of the media server environment, exposing sensitive user data and allowing further lateral movement within a network. For more on the consequences of such breaches, you can review historical breach reports.

Remediation

The only complete mitigation is to upgrade Jellystat to version 1.1.10 or later, which contains the necessary fixes. Users should apply this update immediately.

Action Required:

1. Identify all instances of Jellystat in your environment.
2. Update each instance to version 1.1.10 or higher.
3. If using the provided Docker Compose configuration, ensure you are pulling the updated image and recreate the container.

As a temporary measure if immediate updating is impossible, consider restricting network access to the Jellystat application to only trusted users. However, this does not address the core vulnerability.

Security Insight

This vulnerability highlights the persistent risk of SQL injection in applications that manually construct queries, even when using modern database libraries like node-postgres. The default deployment as a PostgreSQL superuser significantly amplified the impact, turning a data disclosure flaw into a straightforward path to RCE. It serves as a reminder that principle of least privilege must extend to database roles, especially in containerized and automated deployments where default configurations are often accepted without scrutiny.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs