starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-04 18:09:12 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

Video streams completely unauthenticated #774

New Issue
Closed
opened 2026-02-06 20:05:20 +03:00 by OVERLORD · 9 comments
OVERLORD commented 2026-02-06 20:05:20 +03:00
Owner
Copy Link

Originally created by @DMouse10462 on GitHub (Jul 1, 2019).

Describe the bug
This is sort of a roadmap/implementation/opinion question, but will Jellyfin keep video streams completely unauthenticated as they are for the foreseeable future? It was somewhat shocking to discover that Emby/Jellyfin allows streaming of a video (provided you have the ID) without any need for authentication.

On top of this, it appears that no direct URL streaming is logged under Activity, as it appears that only proper clients that register their usage and progress appear here.

To Reproduce

  1. Find a video ID
  2. Access /Videos/{id}/stream.{container} with any player without any authentication
  3. Observe stream/dashboard activity

Expected behavior

  • Stream should fail without authentication.
  • Activity should be logged within dashboard

Logs

This appears to be (previously) expected behavior, so no error logs seem necessary. Let me know if this assumption is wrong.

Screenshots
Screenshot of Stream

System (please complete the following information):

  • OS: Server - Pop! OS 18.10, Client - Any (Win10 in SS)
  • Browser: Any (Firefox in SS)
  • Jellyfin Version: 10.3.5
  • Reverse proxy: Caddy

Additional context

Reading Emby forums led me to believe that this was an intentional decision in order to allow a wide variety of players (with some comments direct from Luke), but it comes off as quite strange considering there isn't even a form of token authentication keeping unauthorized users from streaming and transcoding.

Originally created by @DMouse10462 on GitHub (Jul 1, 2019). **Describe the bug** This is sort of a roadmap/implementation/opinion question, but will Jellyfin keep video streams completely unauthenticated as they are for the foreseeable future? It was somewhat shocking to discover that Emby/Jellyfin allows streaming of a video (provided you have the ID) without any need for authentication. On top of this, it appears that no direct URL streaming is logged under Activity, as it appears that only proper clients that register their usage and progress appear here. **To Reproduce** <!-- Steps to reproduce the behavior: --> 1. Find a video ID 2. Access /Videos/{id}/stream.{container} with any player without any authentication 3. Observe stream/dashboard activity **Expected behavior** * Stream should fail without authentication. * Activity should be logged within dashboard **Logs** <!-- Please paste any log errors. --> This appears to be (previously) expected behavior, so no error logs seem necessary. Let me know if this assumption is wrong. **Screenshots** ![Screenshot of Stream](https://i.imgur.com/SRxo4tE.png) **System (please complete the following information):** - OS: Server - Pop! OS 18.10, Client - Any (Win10 in SS) - Browser: Any (Firefox in SS) - Jellyfin Version: 10.3.5 - Reverse proxy: Caddy **Additional context** <!-- Add any other context about the problem here. --> Reading Emby forums led me to believe that this was an intentional decision in order to allow a wide variety of players (with some comments direct from Luke), but it comes off as quite strange considering there isn't even a form of token authentication keeping unauthorized users from streaming and transcoding.
OVERLORD added the bugconfirmedsecurity labels 2026-02-06 20:05:20 +03:00
OVERLORD commented 2026-02-06 20:05:23 +03:00
Author
Owner
Copy Link

@ddurdle commented on GitHub (Jul 13, 2019):

This is an issue that was inherited from emby. The streams will take a session parameter, but it is not required. So it is possible for users to stream without authorization. I brought up the issue with emby back in emby 3.5.2.

@ddurdle commented on GitHub (Jul 13, 2019): This is an issue that was inherited from emby. The streams will take a session parameter, but it is not required. So it is possible for users to stream without authorization. I brought up the issue with emby back in emby 3.5.2.
OVERLORD commented 2026-02-06 20:05:24 +03:00
Author
Owner
Copy Link

@normanu commented on GitHub (Feb 25, 2020):

Would this be solved by blocking /Videos/ from the reverse proxy?
This is a pretty big security issue.

@normanu commented on GitHub (Feb 25, 2020): Would this be solved by blocking /Videos/ from the reverse proxy? This is a pretty big security issue.
OVERLORD commented 2026-02-06 20:05:24 +03:00
Author
Owner
Copy Link

@dkanada commented on GitHub (Feb 25, 2020):

@normanu I don't think it would, but I did bring up in chat that we could potentially include an option to disable unauthenticated requests and require manual intervention to enable it. This would probably need an option in the startup wizard and a message on the DLNA page explaining the issue at minimum to get merged.

@dkanada commented on GitHub (Feb 25, 2020): @normanu I don't think it would, but I did bring up in chat that we could potentially include an option to disable unauthenticated requests and require manual intervention to enable it. This would probably need an option in the startup wizard and a message on the DLNA page explaining the issue at minimum to get merged.
OVERLORD commented 2026-02-06 20:05:25 +03:00
Author
Owner
Copy Link

@angauber commented on GitHub (Jun 11, 2020):

This also affects Images

You can fetch any image given it's id like so:
curl http://server_url/Items/hash_id/Images/Primary/ --output res.jpg

Oddly for music, this requires the api_key parameter

curl http://server_url/Audio/hash_id/universal
Access token is required.

I wonder what limits the usage of this token on Images / Videos

@angauber commented on GitHub (Jun 11, 2020): This also affects Images You can fetch any image given it's id like so: `curl http://server_url/Items/hash_id/Images/Primary/ --output res.jpg` Oddly for music, this requires the `api_key` parameter ```bash curl http://server_url/Audio/hash_id/universal Access token is required. ``` I wonder what limits the usage of this token on Images / Videos
OVERLORD commented 2026-02-06 20:05:25 +03:00
Author
Owner
Copy Link

@cvium commented on GitHub (Apr 9, 2021):

Consolidating security issues/questions in #5415

@cvium commented on GitHub (Apr 9, 2021): Consolidating security issues/questions in #5415
OVERLORD commented 2026-02-06 20:05:26 +03:00
Author
Owner
Copy Link

@pktiuk commented on GitHub (May 22, 2024):

@cvium
Closing this issue may be misleading for users and developers. Please check comment: https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2071798575
I think it would be wise to reopen it.

@pktiuk commented on GitHub (May 22, 2024): @cvium Closing this issue may be misleading for users and developers. Please check comment: https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2071798575 I think it would be wise to reopen it.
OVERLORD commented 2026-02-06 20:05:26 +03:00
Author
Owner
Copy Link

@cvium commented on GitHub (May 22, 2024):

The consolidation was on purpose.

@cvium commented on GitHub (May 22, 2024): The consolidation was on purpose.
OVERLORD commented 2026-02-06 20:05:27 +03:00
Author
Owner
Copy Link

@pktiuk commented on GitHub (May 22, 2024):

Then it should not be closed as completed, but closed as not planned.

image

@pktiuk commented on GitHub (May 22, 2024): Then it should not be closed as `completed`, but closed as `not planned`. ![image](https://github.com/jellyfin/jellyfin/assets/45544416/56df56f5-defd-4745-9cef-919b66864284)
OVERLORD commented 2026-02-06 20:05:27 +03:00
Author
Owner
Copy Link

@Bond-009 commented on GitHub (May 22, 2024):

@pktiuk Please don't comment on issues that closed 3 years ago.
Also that feature didn't exist yet when this was closed https://github.blog/changelog/2022-05-19-the-new-github-issues-may-19th-update/

@Bond-009 commented on GitHub (May 22, 2024): @pktiuk Please don't comment on issues that closed 3 years ago. Also that feature didn't exist yet when this was closed https://github.blog/changelog/2022-05-19-the-new-github-issues-may-19th-update/
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label bug confirmed security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#774
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?