mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-16 05:43:54 +03:00
PluginsController only requires user privileges for potentially sensitive actions #6956
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @felix920506 on GitHub (Apr 23, 2025).
split from #5415
Includes, but is not limited to: Listing all plugins on the server without being admin, changing plugin settings, listing plugin settings without being admin. This includes the possibility of retrieving LDAP access credentials without admin privileges. In specific conditions it can also lead to attacks that leak entire user passwords, e.g by changing the remote LDAP server to an attacker controlled server.
Potential fix: Require admin privileges for all potentially sensitive plugin endpoints, e.g all non-legacy endpoints.
@Fmstrat commented on GitHub (Jul 1, 2025):
I've conducted some testing against the LDAP plugin, since this seems to be the biggest vulnerability from the original ticket as it can lead to full priviledge escalation into a full domain network beyond the Jellyfin Server. From what I can tell, the latest endpoints for the LDAP service return a blank result for any non-admin tokens.
Test script:
When using an admin user, the above call returns JSON, when using a non-admin user, it returns blank.
To be clear, this isn't a full test as there may be other endpoints that are an issue, I'm not entirely familiar with the Jellyfin API layer.
@thornbill commented on GitHub (Oct 28, 2025):
This has been fixed since 10.9.0: https://github.com/jellyfin/jellyfin/pull/11436