NicerDicer 3 Posted April 11 Posted April 11 I have a library "Series" with the directories "Shows" and "Shows.Incoming", both containing subdirectories like "Show name". Access to the Incoming directory is explicitly removed for regular users (unchecked). I put new files into "Shows.Incoming/Show name/" to check them without regular users seeing them, before later moving them over. That worked fine until recently, when files there started being accessible for regular users regardless of that removed access to anything under "Shows.Incoming".
NicerDicer 3 Posted April 11 Author Posted April 11 Addition: This doesn't happen with "Show name" directories that are only in "Shows.Incoming" and not in "Shows", just with files in "Show name" directories that exist in "Shows.Incoming" AND "Shows".
NicerDicer 3 Posted April 12 Author Posted April 12 I don't know if I understand you correctly, so here's an example: Shows/ Show name 1/ Episode A1 Episode A2 Shows.Incoming/ Show name 1/ Episode A3 Show name 2/ Episode B1 In the library, user X has the access check mark set for "Shows" and "Shows.Incoming", and correctly sees all four episode files. In the library, user Y only has access set for "Shows" but inside "Show name 1" sees A1, A2 and incorrectly A3, but correctly doesn't see "Show name 2" at all, and therefore also not B1.
NicerDicer 3 Posted April 13 Author Posted April 13 @NeminemYes that's active, it's an important puzzle piece in the workflow described above. This grouping is the desired behaviour, but it should not lead to bypassing accessibility checks for entries.
NicerDicer 3 Posted April 17 Author Posted April 17 On 4/12/2026 at 6:04 AM, Luke said: its' only in one place right? On 4/12/2026 at 4:59 PM, NicerDicer said: I don't know if I understand you correctly Probably: Files yes, directories no. See my longer answer above. In its current state, this is a severe security issue. Users get access to entries they are explicitly not allowed to see.
Tigga5 42 Posted April 17 Posted April 17 (edited) 6 hours ago, NicerDicer said: this is a severe security issue. Users get access to entries they are explicitly not allowed to see. This is exactly the kind of issue that has been plaguing Emby for years, yet it continues to be ignored and downplayed. At this point it's clearly not just isolated edge cases, there’s a fundamental problem with Emby's architecture when it comes to user permissions. Emby has never treated user data leakage as a serious security issue. On multiple occasions, the developers have spent more time arguing semantics than actually addressing the problem. When issues like this come up they might eventually get fixed, but rarely in a reasonable timeframe, and not consistently, with many others left unresolved. If users can access directories they were never granted access to, that's a fundamental security failure. Expecting privacy or proper user isolation in Emby at this point is wishful thinking. The developers have shown time and time again that this just isn't a priority and it clearly never will be. The issue isn't just the bugs, it's the refusal to treat them like they matter. If you'd like to see some more examples of these leaks, here's just a few... https://emby.media/community/index.php?/topic/128420-unauthenticated-access-to-images-by-itemid/&do=findComment&comment=1401206 https://emby.media/community/index.php?/topic/145821-bug-parental-control-tag-restrictions-do-not-hide-tagged-items-from-restricted-users/ https://emby.media/community/index.php?/topic/144179-security-issue-using-home-button-makes-pin-bypass-possible/&do=findComment&comment=1499952 https://emby.media/community/index.php?/topic/145761-just-discovered-a-potentially-horrifying-problem/ https://emby.media/community/index.php?/topic/131295-leaking-inaccessible-music-info-to-other-users/&do=findComment&comment=1378489 Edited April 17 by Tigga5
visproduction 361 Posted April 17 Posted April 17 Udpates to beta version to protect images: https://emby.media/community/topic/128420-unauthenticated-access-to-images-by-itemid/page/6/#findComment-1514783
Tigga5 42 Posted April 18 Posted April 18 20 hours ago, visproduction said: Udpates to beta version to protect images: https://emby.media/community/topic/128420-unauthenticated-access-to-images-by-itemid/page/6/#findComment-1514783 While it's good that this is finally being addressed, this comes 6 years after the community first demonstrated how easily library images could be scraped via ID enumeration, and over 2 years after the dev team acknowledged that they plan to address it. Fixing security debt from 2020 isn't exactly a win here. It's just further proof that basic security practices have long been ignored and consistently taken a backseat to other features. 1
NicerDicer 3 Posted April 19 Author Posted April 19 This is getting off-topic. Let's keep talk about other issues where they're already being discussed. My problem isn't about possible attacks but is a very practical one affecting regular operation. I was meeting with friends to watch new content only to learn that one of them already watched it, impacting the group experience. This shouldn't have been possible.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now