Leaderboard

Hi, yes we will be revamping our home screen settings in an upcoming update, so please stay tuned for that. Thanks.

This was brought to my attention by a post on Reddit in r/selfhosted just a few hours ago. It seems images are available by the itemid even when unauthenticated. The OP claims to have attempted to contact the emby team regarding this and a few other issues with no response. I'm making this post to raise awareness as not everyone who frequents these forums will have seen the post on Reddit, and as it is posted publicly elsewhere it definitely deserves attention on the main forum. This is very troubling as it means that content that's available on the server can be determined without being logged in. Even more troubling if you're using emby for family pictures and videos as the pictures themselves can be viewed, and the thumbnail for videos can be viewed as well. I have tested this myself and can verify that it is a major problem. I could see cover art for movies, as well as pictures from my family photos library without being logged in. It seems that itemid's are incremental, so it's arbitrary to just guess a value until you get a valid hit. Leaking what movies and shows are on a server is definitely not great, but leaking actual personal content is just unacceptable in my opinion. Until something is done to address this I would not recommend using emby for personal/sensitive content if your server is publicly exposed. Steps to reproduce below. Replace <itemid> with the numerical value of a library item to test it while not logged in. https://<hostname:port>/emby/Items/<itemId>/Images/Primary

I've created a web-based watch party application that lets you watch Emby content synchronized with friends and family in real-time, no matter where they are! Key Features: • Real-time playback synchronization - play, pause, and seek stays in sync for everyone • **Secure proxy architecture** - Emby server stays on your local network, never exposed to internet • HLS streaming with proper Emby authentication • Auto-detection of default audio and subtitle tracks • Burned-in subtitle support for maximum compatibility • Live chat while watching • Simple party codes for easy joining • Random username generation for quick access • Works on desktop and mobile browsers Technical Details: • Backend: Python/Flask with SocketIO for WebSocket communication • Frontend: Vanilla JavaScript with HLS.js for adaptive streaming • Direct HLS streaming from Emby (no transcoding proxy needed) • Coordinated pause-seek-buffer-resume flow prevents desynchronization • Professional logging with automatic rotation Requirements: • Python 3.8+ • Emby server with user account credentials • Modern web browser (Chrome, Firefox, Edge, Safari) • Flask app must be accessible to remote users - use VPNs like Tailscale or Hamachi if port forwarding is not possible • **Note:** Emby server does NOT need to be exposed to the internet - the Flask app acts as a secure proxy How It Works: One person creates a watch party and gets a unique party code Friends join using the party code Anyone can browse the Emby library and select a video Playback stays synchronized automatically for all viewers Chat together while watching! Perfect for: • Movie nights with remote friends • Family watch parties across different locations • Synchronized viewing of TV series • Any scenario where you want to watch together remotely Installation: Simple setup with pip - just configure your Emby server URL and credentials, and you're ready to go! Install-Steps are detailed in README.md Source Code: https://github.com/Oratorian/emby-watchparty License: MIT This is a personal project I built for private use with friends. Feel free to try it out and let me know what you think! Contributions and feedback are welcome. Please report Bugs here or on the GitHub page. --- Note: This is a third-party application and not officially affiliated with Emby. emby-watchparty.zip

I tried revitalizing this concern a few months ago, but to no avail. The developers are clearly ignoring this blatant security/privacy leak for a reason beyond my knowledge. This privacy issue should be a priority for them to remedy.

Why the f#*k is this still an issue? This is beyond infuriating. Excuse my language, but I just had to pull all of my mixed content libraries off of Emby out of respect for privacy of myself and my family members. It's so god damn infuriating that not only is this still an issue, but it has hardly been addressed by the devs. I remember this issue years ago when I was first using Emby and was astonished by it then, and that feeling is only tenfold seeing this privacy vulnerability is STILL present nearly 6 years later. What if a bad actor were to scrape the forum for log files that aren't anonymized, extract the domain name, make a bunch of requests to `https://myembyserver.com/emby/Items/0/Images/Primary` starting from zero, and going up until getting a 404. Bad actor could look for any "questionable" content on the server and potentially use it to blackmail the server administrator.

That would also restrict you to web browser access only as embys apps do not support http basic_auth (.htaccess). Embys total silence on this issue isn't exactly encouraging for anyone reading along. It's a pretty prominent topic being closely followed among the self-hosted coms; with JF suffering a similar vulnerability. (being built off the same core code)

The issue here is people are not being made aware that an advertised feature in Emby is simply not as secure/private as they would expect it to be. Admins can implement https, reverse proxies etc - doesn't matter, if you know or can guess the url, then you can get unauthenticated access to the images. Is an attacker likely to even know the base url, or spend time brute forcing - unlikely, but security by obscurity has no place in 2025. Randomising the id's/url would be a start, but implementing proper Auth for photo library images would be what I would want to see - if it costs performance, then so be it. For other general metadata images, then I see no reason to implement Auth for them.

Holy Hell... You can't be serious with this statement? Most images on the internet aren't supposed to be secured behind account authentication like Emby. That's just an unbelievably stupid defense there.

When I click on a person to load their page, it shows me the posters for the movies they were in. Under each poster is the title of the film. What it doesn't have is the name of the character they played. On the movie page, the cast all have pictures below which are two lines: actor name and character name. I'd like to see a similar arrangement on people pages, with the film name and the character name.

So, usually this place is filled with the series/season thumb or an fanart pic. I guess that's okay, no spoilers and all, but it gets boring real quick and to me it would make much more sense to have the episode thumb/screenshot there (maybe with the series logo added somehow). The only way to get it that way, is by deleting thumbs and fanart completely, but the latter are used on different places too, so I want to keep them. How about an option to use ep-thumbs for "continue" and "next up"?

Built for server 4.8.11 + TV&Movie Theme Provider Plugin Overview TV&Movie Theme Provider automatically locates, downloads, or extracts theme music for Movies and TV Series in your Emby library. It integrates multiple free and legal providers — Archive.org, TelevisionTunes, MixKit, and BBC Rewind — with an optional local FFmpeg extractor for generating clean intro/outro MP3 clips directly from your media. The plugin runs as a scheduled Emby task and provides a full Dashboard configuration page featuring live log output, WebSocket updates, and library scan statistics. 🩜 Step-by-Step Operation Library Scan The scheduled task queries the Emby library through ILibraryManager. TV Series are processed first by default; Movies optionally included. Theme Detection For each item, the plugin searches theme sources in order: Archive.org TelevisionTunes.co.uk MixKit.co BBC Rewind (musicmemories.bbcrewind.co.uk) Download or Extraction If no theme is found online, FFmpeg extracts 45 seconds of audio from the start or end of the video. The extraction uses: bash -t 45 -af silenceremove=start_periods=1:start_threshold=-40dB ensuring silence is trimmed. Storage Themes can be saved in the media’s folder or a cache directory, based on user settings. Fingerprint & Metadata Each successful theme creates a theme_meta.json with SHA-256 fingerprint, provider, licence, and timestamp. Dashboard Feedback A WebSocket channel TVThemeProvider streams progress messages to the dashboard page (tvthemeprovider.html / .js). Users see real-time status, provider name, progress bar, and log output. Process Flow flowchart TD A[Start Task] --> B[Load Plugin Config] B --> C[Query Library (Series / Movies)] C --> D{Existing Theme?} D -->|Yes| E[Skip] D -->|No| F[Try Providers<br>Archive→TelevisionTunes→MixKit→BBC Rewind] F -->|Found| G[Save MP3 + JSON Metadata] F -->|Not Found| H[Extract with FFmpeg<br>Trim Silence 45 s] H --> I[Compute Fingerprint] G --> I I --> J[Broadcast via WebSocket] J --> K[Next Item] K --> L[Complete + Summary] Conclusion The TVThemeProvider Plugin is a complete, legally-safe theme music engine for Emby. It automatically retrieves or extracts high-quality theme MP3s, maintains consistent metadata, and keeps you informed in real time via a responsive dashboard. With BBC Rewind support and WebSocket integration, this plugin enriches your media library MediaBrowser.Plugins.TVThemeProvider.dll MixKit and BBC Rewind have been removed , MixKit is unauthorised and contains samples anyway so is not valid, BBC Rewind have removed the media and discontinued but left their api up, so 404's galore. That one is a shame Fixed tv Series extractions and added code to honour intro markers, although I havent tested it yet. Im away for the week now, so I have posted it anyway, im sure you ll let me know if it aint working MediaBrowser.Plugins.TVThemeProvider.1.0.0.1.zip

Ya, I figured... thats why I said I was joking

Gonna reach out to the jellyseerr devs and see what they say, I'll keep you updated.

Got it, thanks for the update!

I'm having remove and recreate each library and then scan the media.. Refreshing metadata is not refreshing things.. It's giving me that error I pasted above. I'm almost done rebuilding it all.

You might want to install the Data Explorer plugin Besides data from remote providers, it also displays all the currnet data of items (the regular UI is hiding some). Specifically interesting in your case would be the ProviderIDs as well as IndexNumber and ParentIndexNumber. Seeing these might give us some more clue..

Unfortunately beyond some ugly hacks, misusing parental control and tags, there's no solution - yet! The problem is that it requires server change. It can't be done at the side of the plugin (alone). Can you please reset your browser cache, press F12, go to the "Network" tab and check "Disable cace". Then F5 back in the browser.

I don't see why you need Google to install ATV. You can always sideload it. As long as the devs keep it alive in case of server changes. Since normal development has slowed the need to sideload shouldn't be too often.

In the new app you can hard press the Back button which takes you to the Home screen from just about anywhere in one click. Then you can exit similar to the old app using either left menu or top. You can also just shell out of the app from anywhere by hard pressing the Home button

Hi, Emby itself actually has no treatment of symlinks. It is handled automatically by the dotnet runtime. Emby Server 4.9 did update from dotnet 6 to 8, so that is very likely related.

This issue is once again circulating on the emby subreddit. Just thought it would be worth mentioning that this is currently being talked about outside of the forums again. Given the changing landscape on the internet and various regulations in different countries this could also extend into being a legal/liability issue for some admins if they have any kind of adult content on their server (homemade or otherwise). As it stands right now they could be seen as hosting adult content without age verification since images don't require any authentication whatsoever. Just some food for thought. I do have a couple of thoughts on how to "fix" the problem without breaking compatiblity with older apps that can't be updated (or those that want a reverse proxy to cache images or other assets) Add a toggle for each library type that enables "Protected Mode" (or whatever you want to call it) This would disable unauthenticated access to the images endpoints when enabled. Modern clients can be updated to support "Protected mode" libraries, while anyone stuck on a legacy client can opt to leave it disabled for compatibility. Having the toggle on a per-library basis for all library types would allow admins to selectively enable it where they see fit. This also provides compatibility for those that have opted to use a different library type than what the content actually is. There's already been a lot of negativity around this particular issue for quite some time now, the sooner this gets fixed, the better.

So what you are saying is that we should just get used to an app that: 1) For over a year can't even show photos at the correct size (Android TV app has no such issue) 2) Takes a few thousand back button presses to get out of (very easy to get out of the Android TV app) 3) Confuses people at the end of TV episodes with the displayed choices (Android Tv app is so clear) and so on. I am sure there are many more. Using this logic I am sure you will not want to make an app for the new Firestick OS, so you do not have to duplicate it. Good thing I have no interest in that device. This is getting very frustrating, I used to like Emby very much.

So, I absolutely am Loving the plugin, but with content access it's either all or nothing. Say I have 5 Sources listed for the Top-Level, I can only restrict the plugin entirely but cannot control each source's permissions. What if I only want Source X (CCTV) to be viewable only by me, I can't control that.. Also something with the display filters gets a little funky, there's no background behind the options when you click a field (using Edge Windows) As you can see here. It looks fine at first, but after say 10 filters it bugs out..

Enable Debug logging, so you'll see trailer playback attempt entries/links, if any.

There actually shouldn't (emphasis on shouldn't) be any. Are settings 1:1 between stable and beta instances? For example, download images in advance will amass considerable difference over time on the server that has more activity, let alone if it's disabled on beta. Video preview thumbnails, 10s bifs vs. chapter markers etc.

Thanks - that fixed the issue.

Legend! That did the trick It had merged Hellboy (2004) and Hellboy (2019). Still had to go through all the merged movies, but it was a lot easier going through 66 items, rather than going through 1,642 items Thank you!

Sorry, didn't see that for some reason yesterday LOL.

Thanks for following up

This fixed my problem. thanks

It worked, thank for those explanations, it's fixed now and I will be able to better manage my metadata fetching issues in the future You just have to trick Emby to make it believe it's not the same folder by mounting the NAS in another network letter :

Hi Out of the blue I decided to run Scan Media Library and Scan Metadata folder now that the plugin has completed downloading the theme files for TV shows. Looks like themes are now playing through Emby for the shows the plugin downloaded themes for. Seems you have to run a scan after the plugin has completed downloading theme files for Emby to pick them up.

Is actually 38th (not including In-progress FRs), on quick count. That doesn't detract from its validity, just putting things in perspective.

I was just looking into this now as well.. The problem I am seeing is that the client apps I have tested don't even request the endpoint with any form of auth key at all, so hopes of trying to do some hackery with a proxy seems like a no-go...

Hi. I would suggest trying a wireless connection instead of wired. It may actually end up more reliable and faster.

I did some database repairs and the usual startup syncs, from my feeling the beta server line 4.9.2.x is still with the latest one abit slower than the previous 4.9.1.x servers. I guess there will come more changes in the server in the near future....

EmbyWatch - A brilliant app built by a community user! One of the best things about the Emby community is the creativity that comes from it. Every so often, one of our users takes their love for media servers to the next level and builds something that makes life easier for the rest of us. Today, we’re excited to share EmbyWatch, a brand-new Android app developed by community member @asgard25It is an an incredible example of what happens when passion and innovation meet. A User-Built Tool, Made for Admins What makes this story special is that EmbyWatch wasn’t created by a company or a professional app studio. It was created by one of YOU! — just someone who wanted to make managing a server more intuitive and accessible from anywhere. Want to be even more impressed? This is only the second Android app that asgard25 has developed! EmbyWatch is designed to help server admins and advanced users keep track of what’s happening on their Emby setup in real time. It’s not about playback or browsing media, it’s about giving you the tools to monitor, manage, and control your server, all from your phone. Powerful Features at a Glance EmbyWatch brings a surprising amount of functionality for such a young app. Here’s what it can do: Real-time monitoring: See who’s watching what, where they’re streaming from, and how much bandwidth they’re using — all live. User management: View your users, check activity history, and even send messages directly to connected users. Device overview: Identify every connected client, from smart TVs to mobile apps, with connection times and device info. Library insights: Quickly review all your media libraries with detailed counts and metadata. Task control: Run or schedule maintenance tasks like library scans and metadata updates remotely. Plugin visibility: See your installed plugins and available updates. Logs and server details: Access logs, CPU load, uptime, and more — wherever you are. Notifications and widgets: Stay informed with live alerts and optional Android widgets for quick monitoring. For anyone managing a shared server, EmbyWatch feels like having a live dashboard in your pocket. A True Example of Community Ingenuity We love seeing users like asgard25 take their experience with Emby and turn it into something that benefits everyone. EmbyWatch really is a reflection of how open and flexible the Emby ecosystem can be when people put their ideas into action. This project shows exactly what makes our community special, a shared passion for improving and creating! So whether you’re managing your own home setup or running a multi-user server, EmbyWatch offers a simple, powerful way to stay connected to your system. Huge thanks to asgard25 for sharing EmbyWatch with the community and for showing what’s possible when creativity meets passion. We’re proud to see our users building tools like this that make Emby not just a media server, but a thriving ecosystem shaped by its fans. If you’re an admin or an advanced user, check out EmbyWatch on Google Play and see how it can make managing your server easier than ever. We can’t wait to see what asgard25 — and others in our amazing community — build next. View the full article

The address in the browser address bar is not the determining factor. It is the remote address of the socket connection from which the traffic is originating.

Hi Luke, Same here — I’ve run into the same issue after updating to 4.9.1.80. Before, in folder view, if a folder contained just one movie, clicking that folder would take me straight to the movie’s detail page. That was perfect, and I’ve used Emby this way for years. Now, even if there’s only one movie inside, Emby adds another subfolder (like A → B → movie), so I have to click through one more level. It makes browsing my library much less convenient. I’ve seen the suggested workaround, but honestly it feels a bit clunky and not what we really want. We just want the original simple folder behavior back — or at least a global option that lets users choose between the new and old style. It would be great if this setting could apply to Movies, TV Shows, Mixed Content libraries, and any other content type that uses folder view — so that the experience is consistent across all libraries. Please consider restoring or adding this option in a future update. The old folder view worked beautifully for many of us longtime users. Thanks a lot for listening and for all your hard work on Emby!

I like this statement, and will hold you up on that. I have not switched yet, trying with every update But its still lacking proper physical remote control, like the old did. And a lot of things on this list. Its long. See first page.

Is there plans on the roadmap for OpenID. I have searched but not found any indication this is in development. With many admins taking up SSO through Authelia or Authentik to enhance security it would be great for Emby to support it. One of the easier open standards is OpenID which the aforementioned support. Users could continue to use LDAP if they wish while others can use the arguably better SSO experience.

For a reverse proxy to properly "fix" this issue it would have to be configured to recognize emby's auth headers to work with client apps (as well as other configuration to properly allow/block the correct paths based on those headers, etc.). I'm not even sure this would be possible, and if it is it would definitely be complex to say the least. I've only vaguely been revisiting this idea again recently. As far as JF, they still have a similar issue, however the way itemid's are assigned seem to make it slightly less problematic than emby.

Just wanted to give this thread another bump to see if the emby team has any additional information on getting this privacy leak fixed.

Disagree. The user should never have to 'decide' if they want their private image files exposed to the internet or not due to lack of a secure design. If there needs to be a 'balance' of security vs performance, then that is fine. Perhaps I'm missing the point on why this 'id or key' cannot simply be different/random for each item - I'm not suggesting it's changed for every access (as that would obviously screw up any cache) but by simply by making it different for every item, rather than an incremented number, the processing/http request required to find the next one by chance/brute force is significantly increased.

Good to know Emby as a personal media server can't be trusted to keep personal media, well, personal. This wouldn't be much of a concern if all we were talking about was movie/tv posters/backgrounds/etc; but this vulnerability includes ALL images on the server. Camera upload enabled? Family photos/videos stored on emby? Got a porn library or two? It can all be vewed by anyone with the domain/ip to your server. Just gotta feed it some random numbers, and you will get no alerts to such activities. I stopped trusting Emby with such media long ago, too many bugs with permissions; but this will ensure I never give it access to that media again.

I'd forgotten all about this - seriously Emby, after 4 years this is not resolved ? Did you not learn anything from the previous security incident/breach where you ignored that one as well until it was exploited in the wild and then became a big issue for you ? All it's going to take is for somebody to 'exploit' this is to simply scan all emby servers, grab all the images from them and start exploiting the results - and maybe sue your company for gross negligence in the process... PLEASE take reported security incidents seriously - you are getting the Pen testing/analysis done for free - the least you can do is provide a fix in a timely manner. Also to note, you are a commercial organisation with paying customers - thus you have responsibilities to report these vulnerabilities, so people are aware and can make an informed choice. @Luke @ebr @softworkz

If you look at the comment history above someone initially reported this in a separate thread over 4 years ago. Over 4 years is far more than enough time to properly address a serious issue such as this after being notified. Keep in mind that it's only been since the 4.8 release that camera upload was changed so that it could even be properly disabled altogether. I'm still using emby as my media server. I've praised the dev team numerous times and am still thankful for the work that goes into it. That being said it's hard to not notice that there's a trend of major issues/concerns being disregarded or otherwise not being dealt with in a timely manner. Another example of this is a feature request I submitted back in February regarding the playlist sharing feature. I asked for more controls to limit which users another user can see when sharing playlists. When you turn on playlist sharing for a user they can see the entire list of users on a server including Admin accounts. This makes the feature not worth turning on for anyone security conscious enough to understand why that's a bad idea. The proposed compromise until such a feature can be fully implemented with groups or however they intend to tackle it was to give an option to at least limit visibility to admin accounts. There is still no such option. To the emby team, I really do appreciate you guys and I love the product. I get that it's a small team and there are only so many hours in the day. I'm not trying to come off as overly critical or entitled. I hope you don't see it as such. You guys can do better about fixing valid security and privacy concerns within a timely manner. Not doing so erodes trust and confidence in the product. The fact that issues like this get buried with no fix in sight is highly concerning. Any issue with emby or it's features that is or can be perceived as a valid security/privacy concern should be top priority for a fix.

I'm really sorry but offering camera upload and having them exposed by this vulnerability (for years now!) is simply ridiculous. People should be informed when activating the camera upload functionality or even better, get this fixed eventually!

I already reported about the image problem 4 years ago: