Security issue on linux emby servers

2026-04-14T23:16:51Z

Access to admin areas when not logged in.

Problem :- Issue, ability to view settings, options, limited details, unable to update details ( i cannot ) however options are available and viewable to an extent, applying changes creates an error popup -Sign in Error- "Access token is invalid or Expired" see, (Happy with that) Well the fact is that i can see things which are on the admin panels, most areas when I or you have not logged in to the server. I can even tell you if you have Emby premier or not. Now is this an issue??? Im not a hacker, so i dont know how far someone could go, what can actually be done etc. That's why i'm here. Hopefully someone can shed some light.

Background setup: - Tested vulnerability on two Emby servers. Both run Dietpi OS as a base, both Emby Premier, Both Odroid C2 SBC, both have multiple USB SSD drives, both run on SD card installations, Both are accessible from the internet on Http and Https, one has a domain name redirected with an A record to a static IP address, one uses http only and a ddns address. Both are standard Emby installations apart from one having fail2ban installed as well, but no extra linux services apart from the minimal, as Odroid C2s are good but not that good. Some plugins are installed on both, Music Brainz, MDB, Opensubs, NFO, DLNA, Trailers, Playback reporting etc. (if you believe these could be a cause, i'll be glad to do more testing) Also, i dont know if this is a Dietpi issue, i guess someone will alert me of this , if the vulnerability doesn't work for you on another OS. Thanks in advance.

Recreate the issue: - Logout of the Emby if you are in, try this in another browser, Firefox, edge, try an incognito window, new private window, (this works on all of them by the way in my instance)

Anyway, just do it a computer or browser that is not logged in. Even my Samsung phone does this.

1. open a browser and visit your Emby web UI, Remotely, on the phone via the 4-5G internet, locally via your installation Ip or server name, or via a domain name, whatever works for you. If you are prompted to login, great, if not prompted logoff. You may or not see the usernames to choose from or perhaps not, depending on your settings. If you are being prompted to login, don't, instead go to the address bar and remove everything in the address and only leave this: - (of course i am giving you an Ip example, your browser will have your Emby server Ip or domain name).

Examples :- http://192.168.178.188:8099/web/index.html#!/ http://192.168.170.148:8096/web/index.html#!/ https://emby.myemby.com.au:443/web/index.html#!/ (Whatever, you get the gist)

2. Once you have removed all of the trailing address sections the fun begins. add the word "dashboard" to the end of the address. you end up with Ie :- http://192.168.170.148:8096/web/index.html#!/dashboard https://emby.myemby.com.au:443/web/index.html#!/dashboard etc.

3. now refresh the page, click go, click enter, it doesn't matter but the important part is to refresh the page when the address is seen correctly, this is the trick. you will see the login page once reloaded ..

4. The magic. now that you have inserted https://emby.myemby.com.au:443/web/index.html#!/dashboard in the address bar, click the big ( < ) in the upper left next to the big Emby logo on the refreshed login page. Not back in the browser, back within the Emby Login Page itself.

5. Now tell me if you have Emby Premier or just the standard version?

6. Do this with any section in the admin panel you wish to try, just add the sections name to the address bar, refresh the browser, once back to the login page, click the ( < ) arrow top left next the the Emby Logo to view that particular section. Again, not back in the browser but the back arrow within the Emby login page .

7. Try this with any Emby admin panel section name, you get the gist of this by now or is it only me????? users, apikeys, logs, scheduledtasks, plugins, databases, network etc., all of it. If you try using the user directory, say for instance "home" at the end of the address, refresh and click the back< button you won't see much, but if you have a custom css background , you will see the background page load.

8. I was unable to shutdown the server even though the button is visible, apply any changes, add users, view libraries or make any useful changes to affect my Emby servers, i guess that's logical as anyone doing this is not actually logged in. So it's not that much of a vulnerability i guess, but I'm not a programmer and actually have no clue if someone could do something in this area by looking at the page code, page source, developer options and the like. They would also have to find the exposed server before even getting into this.. Probably should have other means of reporting a problem in the report a problem section? Anyway i believe someone should have a look and tell me, if its only me or it's a bug of some sort.

I've attached some screenshots of the areas i entered within the admin Ui without being logged in for reference Sorry i couldn't screenshot the whole screen with the address bar, windows doesn't let me, but anyway i hope i've outlined it thoroughly enough that it can be reproduced.