Insecure accessibility to any user on LAN without any authentication

[dragonbytes 1]

Hi,

I'm an Emby Premiere customer and running server version 4.10.0.11 beta under linux (ubuntu-based distro). I noticed that when connecting from the LAN, you can just select any user and get right in without any passwords or authentication of any kind, INCLUDING admistrator accounts. Is this a bug or some kind of convenience "feature"? I know there used to be a setting where you could choose a PIN for LAN connections to make it easier, but it seems that option is nowhere to be found anymore. Anyone that could gain access to my LAN can now have complete control over my server which is not cool at all. Is there a way to restrict this? Thanks

[Luke 42528]

Hi, a few things:

• You can control if users are hidden or not from the login screen in user management
• You can configure a user's pin on the same screen as configuring their password
• The login is probably being remembered. Try configuring the startup behavior option as you prefer. 

[Luke 42528]

Also when you first signed in, you may have declined to use the pin when coming back. Try signing out and then back in, and then you can respond to that prompt again (if you have configured a pin).

[dragonbytes 1]

I know that you can hide user names if the connection is remote in origin, however if I just type in the right username, it just goes straight in. None of the users ever had a PIN as far as i know, nor did it ever get them the option on their devices. 

In terms of login being remembered, another oddity is that I cannot logout. If i select "sign out", it returns me to the login screen, and if I reselect the user I just signed out from, it goes right back in again. 

Another concern is that its not just LAN like I initially thought. If you manually enter a username in on remote connections, it just lets you right in. Basically the whole internet can access my server right now if they knew my IP and guessed a username. That's not normal behavoir I assume?

[ebr 16430]

2 hours ago, dragonbytes said:

None of the users ever had a PIN

Hi.  Do your users have local passwords?

[Luke 42528]

Right it just means those users don’t have passwords.

[dragonbytes 1]

yes everyone has a password. i mean i know for sure my own account does, and yet no authentication is requires. unless somehow the user passwords got wiped from a bug?

[dragonbytes 1]

Wow yup, all the user's passwords were blank/empty. That's why. Ive not seen this new profile pin feature before, however when i reset my password, it then presented me with that option, so perhaps this bug is related to the new profile pin system?

[yocker 1593]

4 minutes ago, dragonbytes said:

yes everyone has a password. i mean i know for sure my own account does, and yet no authentication is requires. unless somehow the user passwords got wiped from a bug?

If using a browser and you are the one that entered the passwords for those accounts it might be the browser that has saved those passwords and automatically enters them for you when trying to log in.

[dragonbytes 1]

also, i setup emby connect for the first time with a few of the users, so i dont know if its related to that as well? How does user authentication work with emby connect anyways? Like if they have a local password, but then try to sign in with linked emby connect, does it prompt them for their user password? or does the authentication into emby.media automatically give them access through the link?

[Luke 42528]

On 5/18/2026 at 7:29 PM, dragonbytes said:

Wow yup, all the user's passwords were blank/empty. That's why. Ive not seen this new profile pin feature before, however when i reset my password, it then presented me with that option, so perhaps this bug is related to the new profile pin system?

hi, how did you reset the password?

[dragonbytes 1]

16 hours ago, Luke said:

hi, how did you reset the password?

I basically just went into the Users area, clicked on each user and went to the Password section for each, and set a new one. The act of setting a password is what made the PIN options come up and made the user login secure again. I still have no idea how all the passwords that were already set got erased though. But for now things seem back to normal.

[Luke 42528]

2 hours ago, dragonbytes said:

I basically just went into the Users area, clicked on each user and went to the Password section for each, and set a new one. The act of setting a password is what made the PIN options come up and made the user login secure again. I still have no idea how all the passwords that were already set got erased though. But for now things seem back to normal.

Hi, going through the password reset process without specifying a username is the most likely answer. That's something you would do if you've forgotten both your admin username and password.