Jellyfin 10.11.7: Critical Security Update - Upgrade Immediately

Jellyfin 10.11.7: Critical Security Update - Upgrade Immediately

Jellyfin 10.11.7: Critical Security Update - Upgrade Immediately

The Jellyfin team has released version 10.11.7, a critical update that addresses four security vulnerabilities alongside 25 general bug fixes. The project describes these fixes as "extremely important" and urges all users to upgrade without delay.

WARNING: This release contains several extremely important security fixes. Users of all versions prior to 10.11.7 are advised to upgrade immediately.


What Happened?

On April 1, 2026, the Jellyfin project published version 10.11.7 with four security patches tracked under GitHub Security Advisories:

  • GHSA-j2hf-x4q5-47j3
  • GHSA-8fw7-f233-ffr8
  • GHSA-v2jv-54xj-h76w
  • GHSA-jh22-fw8w-2v9x

All four fixes were implemented by @Shadowghost, a core Jellyfin maintainer.

As per Jellyfin's security policy, the full details of these vulnerabilities will be disclosed publicly in 14 days. This delay gives users time to upgrade before exploit details become widely available.


Why You Must Upgrade Now

Four simultaneous security advisories in a single release is unusual for Jellyfin. The project rarely uses the word "extremely" - this signals that:

  • The vulnerabilities may be remotely exploitable
  • They could affect servers exposed to the internet
  • Waiting for the 14-day disclosure window to close puts your server at risk

If your Jellyfin server is accessible from the internet - whether through a reverse proxy, Cloudflare Tunnel, or port forwarding - you should treat this update as urgent.


How to Upgrade

JellyWatchTry JellyWatch — Your Jellyfin companion, everywhere.

Docker (recommended)

docker pull jellyfin/jellyfin:latest
docker compose down
docker compose up -d

Debian / Ubuntu

sudo apt update
sudo apt install --only-upgrade jellyfin

Windows

Download the latest installer from jellyfin.org/downloads and run it over your existing installation.

Always back up your configuration folder before upgrading. Jellyfin 10.11.x uses a unified database - a backup ensures you can roll back if anything goes wrong.


Other Fixes in 10.11.7

Beyond security, this release includes 25 bug fixes:

  • FFmpeg 8.1 compatibility - Fixed readrate options and filter detection for the latest FFmpeg
  • Subtitle extraction - Fixed caching of empty files and improved codec parameter detection
  • HLS streaming - Fixed segment length adjustment for remuxed content and fractional framerate playlists
  • Library database - WAL checkpoint before migration, deduplicated provider IDs, reattached user data after item removal
  • TMDB metadata - Fixed image URLs missing size parameter, crew department mapping
  • Random sort - Fixed duplicate items appearing in random sort results
  • Subtitle downloads - Fixed broken library-level subtitle download settings
  • Session info - Fixed WebSocket listener not using SessionInfoDto
  • Null reference fixes - Multiple null reference exceptions resolved in font handling, season episodes, and H264 profile checks
  • NFO saver - Fixed wrong provider ID for collection numbers
  • Backup restore - Fixed metadata location during backup restoration

Timeline

DateEvent
April 1, 2026Jellyfin 10.11.7 released with 4 security fixes
~April 15, 2026Full vulnerability details will be publicly disclosed

Do not wait for the disclosure. Upgrade now.


Monitor Your Server After Upgrading

After upgrading, verify your server is running correctly:

  • Check active sessions and playback
  • Review recent login attempts for suspicious activity
  • Monitor CPU and memory usage for any regressions

JellyWatch lets you monitor all of this from your phone - real-time session tracking, failed login alerts, and server health dashboards.


Your Jellyfin server deserves real-time security monitoring. Download JellyWatch on Google Play - get instant alerts on failed logins, track active sessions, and monitor server health from anywhere.


Stay safe. Keep your server updated.

Comments 6

SecurityWatch·

Updated immediately after seeing this. 4 security advisories at once is serious. Everyone with a public-facing server: update NOW.

DockerAdmin·

docker pull + docker compose up -d. Done in 30 seconds. No excuse not to update when it's this easy.

HomelabSec·

The FFmpeg 8.1 compatibility fixes are a nice bonus alongside the security patches. Subtitle extraction works much better now.

Worried_Admin·

My server was exposed via Cloudflare Tunnel. Updated within an hour of this post. Thank you for the clear urgency in the article.

robmitch·

docker pull, docker compose up -d. Done in 45 seconds. If you expose your server to the internet and have not updated yet, stop reading comments and go update right now.

Amir H.·

My server is behind a Cloudflare Tunnel. Updated within an hour of seeing this post. Four security advisories at once is not something to sleep on.

Leave a comment

Never displayed publicly.
0 / 2000 · Supports limited Markdown: **bold**, *italic*, `code`, [link](url), lists, > quote.