Users get access to directories they shouldn't

[NicerDicer 3]

I have a library "Series" with the directories "Shows" and "Shows.Incoming", both containing subdirectories like "Show name". Access to the Incoming directory is explicitly removed for regular users (unchecked). I put new files into "Shows.Incoming/Show name/" to check them without regular users seeing them, before later moving them over. That worked fine until recently, when files there started being accessible for regular users regardless of that removed access to anything under "Shows.Incoming".

[NicerDicer 3]

Addition: This doesn't happen with "Show name" directories that are only in "Shows.Incoming" and not in "Shows", just with files in "Show name" directories that exist in "Shows.Incoming" AND "Shows".

[Luke 42312]

Hi, and its' only in one place right?

[NicerDicer 3]

I don't know if I understand you correctly, so here's an example:

Shows/
  Show name 1/
    Episode A1
    Episode A2
Shows.Incoming/
  Show name 1/
    Episode A3
  Show name 2/
    Episode B1

• In the library, user X has the access check mark set for "Shows" and "Shows.Incoming", and correctly sees all four episode files.
• In the library, user Y only has access set for "Shows" but inside "Show name 1" sees A1, A2 and incorrectly A3, but correctly doesn't see "Show name 2" at all, and therefore also not B1.

[Neminem 1639]

Is this enabled in you library settings.

[NicerDicer 3]

@NeminemYes that's active, it's an important puzzle piece in the workflow described above. This grouping is the desired  behaviour, but it should not lead to bypassing accessibility checks for entries.

 

 

[NicerDicer 3]

On 4/12/2026 at 6:04 AM, Luke said:

its' only in one place right?

On 4/12/2026 at 4:59 PM, NicerDicer said:

I don't know if I understand you correctly

Probably: Files yes, directories no.

See my longer answer above. In its current state, this is a severe security issue. Users get access to entries they are explicitly not allowed to see.

[Tigga5 39]

6 hours ago, NicerDicer said:

this is a severe security issue. Users get access to entries they are explicitly not allowed to see.

This is exactly the kind of issue that has been plaguing Emby for years, yet it continues to be ignored and downplayed. At this point it's clearly not just isolated edge cases, there’s a fundamental problem with Emby's architecture when it comes to user permissions.

Emby has never treated user data leakage as a serious security issue. On multiple occasions, the developers have spent more time arguing semantics than actually addressing the problem. When issues like this come up they might eventually get fixed, but rarely in a reasonable timeframe, and not consistently, with many others left unresolved.

If users can access directories they were never granted access to, that's a fundamental security failure. Expecting privacy or proper user isolation in Emby at this point is wishful thinking. The developers have shown time and time again that this just isn't a priority and it clearly never will be. The issue isn't just the bugs, it's the refusal to treat them like they matter.

If you'd like to see some more examples of these leaks, here's just a few...

https://emby.media/community/index.php?/topic/128420-unauthenticated-access-to-images-by-itemid/&do=findComment&comment=1401206
https://emby.media/community/index.php?/topic/145821-bug-parental-control-tag-restrictions-do-not-hide-tagged-items-from-restricted-users/
https://emby.media/community/index.php?/topic/144179-security-issue-using-home-button-makes-pin-bypass-possible/&do=findComment&comment=1499952
https://emby.media/community/index.php?/topic/145761-just-discovered-a-potentially-horrifying-problem/
https://emby.media/community/index.php?/topic/131295-leaking-inaccessible-music-info-to-other-users/&do=findComment&comment=1378489

Edited 1 hour ago by Tigga5

[visproduction 338]

Udpates to beta version to protect images: https://emby.media/community/topic/128420-unauthenticated-access-to-images-by-itemid/page/6/#findComment-1514783