Video streams unauthenticated (VideosController, HlsSegmentController, LiveTVController) #6952

New Issue

Open

opened 2026-02-07 04:19:48 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-07 04:19:48 +03:00

Owner

Copy Link

Originally created by @felix920506 on GitHub (Apr 23, 2025).

Split from #5415

Summary: The current implementation allows direct play without authentication. Transcoded media is partially authenticated (old HLS only has metadata protection, new HLS protects all). The Jellyfin web client does provide an api_key parameter in the URL for all some stream types (except HlsSegmentController because the m3u playlist generated doesn't contain parameters), but it isn't checked.
HlsSegmentController has a comment saying "Can't require authentication just yet due to seeing some requests come from Chrome without full query string"
This also applied to streams in LiveTvController endpoints. Those are also not authenticated. Update: Appears to be resolved in 10.8.9
Potential fix: Require authentication on all video streams, both direct streams as well as any transcoded media.

Originally created by @felix920506 on GitHub (Apr 23, 2025). Split from #5415 Summary: The current implementation allows direct play without authentication. Transcoded media is partially authenticated (old HLS only has metadata protection, new HLS protects all). The Jellyfin web client does provide an api_key parameter in the URL for all some stream types (except HlsSegmentController because the m3u playlist generated doesn't contain parameters), but it isn't checked. HlsSegmentController has a comment saying "Can't require authentication just yet due to seeing some requests come from Chrome without full query string" This also applied to streams in LiveTvController endpoints. Those are also not authenticated. Update: Appears to be resolved in 10.8.9 Potential fix: Require authentication on all video streams, both direct streams as well as any transcoded media.

OVERLORD added the bugsecurity labels 2026-02-07 04:19:48 +03:00

OVERLORD referenced this issue 2026-02-07 06:40:36 +03:00

[PR #7887] Move service hardening options to override config #11557

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

release-10.11.z

renovate/skiasharp-monorepo

JPVenson-patch-1

renovate/morestachio-5.x

release-10.9.z

openapi-cache

release-10.10.z

explicit-load

explicit-load-v2

feature/entity-framework

only-count-folder-item

fix/ci-workflow-refactor

release-10.8.z

release-10.7.z

EraYaN-add-management-interface

release-10.6.z

release-10.5.z

release-10.4.z

release-10.3.z

release-10.2.z

release-10.1.0

v10.11.6

v10.11.5

v10.11.4

v10.11.3

v10.11.2

v10.11.1

v10.11.0

v10.11.0-rc9

v10.11.0-rc8

v10.11.0-rc7

v10.11.0-rc6

v10.11.0-rc5

v10.11.0-rc4

v10.11.0-rc3

v10.11.0-rc2

v10.11.0-rc1

v10.10.7

v10.10.6

v10.10.5

v10.10.4

v10.10.3

v10.10.2

v10.10.1

v10.10.0

v10.9.11

v10.9.10

v10.9.9

v10.9.8

v10.9.7

v10.9.6

v10.9.5

v10.9.4

v10.9.3

v10.9.2

v10.9.1

v10.9.0

v10.8.13

v10.8.12

v10.8.11

v10.8.10

v10.8.9

v10.8.8

v10.8.7

v10.8.6

v10.8.5

v10.8.4

v10.8.3

v10.8.2

v10.8.1

v10.8.0

v10.8.0-beta3

v10.8.0-beta2

v10.8.0-beta1

v10.8.0-alpha5

v10.8.0-alpha4

v10.8.0-alpha3

v10.8.0-alpha2

v10.8.0-alpha1

v10.7.7

v10.7.6

v10.7.5

v10.7.4

v10.7.3

v10.7.2

v10.7.1

v10.7.0

v10.7.0-rc4

v10.7.0-rc3

v10.7.0-rc2

v10.7.0-rc1

v10.6.4

v10.6.3

v10.6.2

v10.6.1

v10.6.0

v10.5.5

v10.5.4

v10.5.3

v10.5.2

v10.5.1

v10.5.0

v10.4.3

v10.4.2

v10.4.1

v10.4.0

v10.3.7

v10.3.6

v10.3.5

v10.3.4

v10.3.3

v10.3.2

v10.3.1

v10.3.0

v10.3.0-rc2

v10.3.0-rc1

v10.2.2

v10.2.1

v10.2.0

v10.1.0

v10.0.1

v10.0.0

v10.0.2

v3.5.2-5

Labels

Clear labels

EFjellyfin.db

area:database

awaiting-feedback

backend

blocked

breaking change: web api

bug

build

ci

confirmed

discussion needed

dotnet future

downstream

duplicate

enhancement

feature

future

github-actions

good first issue

hdr

help wanted

invalid

investigation

librarydb

live-tv

lyrics

media playback

music

needs testing

nuget

performance

platform

pull-request

Mirrored from GitHub Pull Request

question

regression

release critical

requires-web

roadmap

security

security

stale

support

syncplay

ui & ux

upstream

wontfix

No Label bug security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#6952