aoinoikaz 1 Posted November 10, 2025 Posted November 10, 2025 (edited) I've discovered a critical access control vulnerability that allows users to bypass Live TV permission restrictions. Issue Summary: When a user adds a Live TV channel to their favorites while Live TV is enabled, they retain access to that channel even after Live TV permissions are revoked. The favorited channels remain playable despite the user no longer having Live TV access. Steps to Reproduce: Enable Live TV permissions for a user Have the user add any Live TV channel to their favorites (in my testing, this was from an M3U tuner source) Disable Live TV permissions for that user Navigate to the user's favorites and attempt to play the previously favorited channel The channel plays successfully despite Live TV being disabled Expected Behavior: Emby should validate Live TV permissions before attempting to play any Live TV content, regardless of how it's accessed (direct navigation, favorites, etc.). Users without Live TV permissions should receive a permission denied error. Actual Behavior: Favorited Live TV channels bypass permission validation entirely and remain accessible after Live TV permissions are removed. Impact: This is a serious security flaw that undermines content access controls. Users can maintain unauthorized access to Live TV content indefinitely. Environment: Emby Version: 4.9.1.80 Server OS: Windows 11 Source: M3U Tuner with custom proxy backend (likely affects other sources as well) Note: While my setup uses a custom backend that proxies M3U links, the core issue is that Emby is not validating Live TV permissions when playing favorited channels. Permission validation should occur at the Emby layer before any stream fetch attempt. Edited November 10, 2025 by aoinoikaz
kikinjo 281 Posted November 10, 2025 Posted November 10, 2025 great find. What you using for proxy backend ?
aoinoikaz 1 Posted November 10, 2025 Author Posted November 10, 2025 (edited) I wrote my own M3U & EPG proxy/parser. Edited November 10, 2025 by aoinoikaz
Tigga5 39 Posted November 29, 2025 Posted November 29, 2025 Quote Emby should validate Live TV permissions before attempting to play any Live TV content, regardless of how it's accessed They really should be doing this for all media, not just live TV. Pressing "play" should always trigger a permissions validation to confirm the user actually has access. This is Security 101, and it’s genuinely alarming that permission failures like this are repeatedly surfacing at the playback layer. Even more alarming is Emby’s apparent lack of urgency in treating these permission issues as a priority. At this point, the frequency and severity of these bugs clearly show an underlying system design flaw that should have been addressed long ago.
aoinoikaz 1 Posted December 14, 2025 Author Posted December 14, 2025 They should be doing a full audit because there are more issues just like this. Any update? 1
Tigga5 39 Posted January 11 Posted January 11 On 12/2/2025 at 12:24 AM, Luke said: Hi, we are looking into this. Thanks. What kind of progress has been made now that you've had over 2 months to investigate?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now