NicerDicer 3 Posted April 11 Posted April 11 I have a library "Series" with the directories "Shows" and "Shows.Incoming", both containing subdirectories like "Show name". Access to the Incoming directory is explicitly removed for regular users (unchecked). I put new files into "Shows.Incoming/Show name/" to check them without regular users seeing them, before later moving them over. That worked fine until recently, when files there started being accessible for regular users regardless of that removed access to anything under "Shows.Incoming".
NicerDicer 3 Posted April 11 Author Posted April 11 Addition: This doesn't happen with "Show name" directories that are only in "Shows.Incoming" and not in "Shows", just with files in "Show name" directories that exist in "Shows.Incoming" AND "Shows".
NicerDicer 3 Posted Sunday at 02:59 PM Author Posted Sunday at 02:59 PM I don't know if I understand you correctly, so here's an example: Shows/ Show name 1/ Episode A1 Episode A2 Shows.Incoming/ Show name 1/ Episode A3 Show name 2/ Episode B1 In the library, user X has the access check mark set for "Shows" and "Shows.Incoming", and correctly sees all four episode files. In the library, user Y only has access set for "Shows" but inside "Show name 1" sees A1, A2 and incorrectly A3, but correctly doesn't see "Show name 2" at all, and therefore also not B1.
Neminem 1639 Posted Monday at 04:56 AM Posted Monday at 04:56 AM Is this enabled in you library settings.
NicerDicer 3 Posted Monday at 01:33 PM Author Posted Monday at 01:33 PM @NeminemYes that's active, it's an important puzzle piece in the workflow described above. This grouping is the desired behaviour, but it should not lead to bypassing accessibility checks for entries.
NicerDicer 3 Posted yesterday at 09:47 AM Author Posted yesterday at 09:47 AM On 4/12/2026 at 6:04 AM, Luke said: its' only in one place right? On 4/12/2026 at 4:59 PM, NicerDicer said: I don't know if I understand you correctly Probably: Files yes, directories no. See my longer answer above. In its current state, this is a severe security issue. Users get access to entries they are explicitly not allowed to see.
Tigga5 40 Posted 22 hours ago Posted 22 hours ago (edited) 6 hours ago, NicerDicer said: this is a severe security issue. Users get access to entries they are explicitly not allowed to see. This is exactly the kind of issue that has been plaguing Emby for years, yet it continues to be ignored and downplayed. At this point it's clearly not just isolated edge cases, there’s a fundamental problem with Emby's architecture when it comes to user permissions. Emby has never treated user data leakage as a serious security issue. On multiple occasions, the developers have spent more time arguing semantics than actually addressing the problem. When issues like this come up they might eventually get fixed, but rarely in a reasonable timeframe, and not consistently, with many others left unresolved. If users can access directories they were never granted access to, that's a fundamental security failure. Expecting privacy or proper user isolation in Emby at this point is wishful thinking. The developers have shown time and time again that this just isn't a priority and it clearly never will be. The issue isn't just the bugs, it's the refusal to treat them like they matter. If you'd like to see some more examples of these leaks, here's just a few... https://emby.media/community/index.php?/topic/128420-unauthenticated-access-to-images-by-itemid/&do=findComment&comment=1401206 https://emby.media/community/index.php?/topic/145821-bug-parental-control-tag-restrictions-do-not-hide-tagged-items-from-restricted-users/ https://emby.media/community/index.php?/topic/144179-security-issue-using-home-button-makes-pin-bypass-possible/&do=findComment&comment=1499952 https://emby.media/community/index.php?/topic/145761-just-discovered-a-potentially-horrifying-problem/ https://emby.media/community/index.php?/topic/131295-leaking-inaccessible-music-info-to-other-users/&do=findComment&comment=1378489 Edited 22 hours ago by Tigga5
visproduction 338 Posted 22 hours ago Posted 22 hours ago Udpates to beta version to protect images: https://emby.media/community/topic/128420-unauthenticated-access-to-images-by-itemid/page/6/#findComment-1514783
Tigga5 40 Posted 2 hours ago Posted 2 hours ago 20 hours ago, visproduction said: Udpates to beta version to protect images: https://emby.media/community/topic/128420-unauthenticated-access-to-images-by-itemid/page/6/#findComment-1514783 While it's good that this is finally being addressed, this comes 6 years after the community first demonstrated how easily library images could be scraped via ID enumeration, and over 2 years after the dev team acknowledged that they plan to address it. Fixing security debt from 2020 isn't exactly a win here. It's just further proof that basic security practices have long been ignored and consistently taken a backseat to other features. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now