Roku 1.6 Access controls are broken. Leaking restricted search results. #4349

New issue

Open

opened 2025-12-21 23:51:17 +01:00 by backuprepo · 5 comments

backuprepo commented 2025-12-21 23:51:17 +01:00

Owner

Copy link

Originally created by @VideoFX on GitHub (Nov 12, 2022).

Please describe your bug

Describe the bug
For Jellyfin Roku 1.6. The search function is allowing users without access to libraries to see the results of the restricted libraries. However, on other apps such as web browser and android, the access controls are working as expected.

To Reproduce
Search for something you are not supposed to have access to.

Server:
Ubuntu 20.04
Jellyfin.Server 10.8.7.0

Client:
Roku Jellyfin 1.6

Jellyfin Version

10.8.0

if other:

10.8.7.0

Environment

- OS: Ubuntu 20.04
- Virtualization: Xen
- Clients: Roku Jellyfin 1.6

Jellyfin logs

No response

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Originally created by @VideoFX on GitHub (Nov 12, 2022). ### Please describe your bug Describe the bug For Jellyfin Roku 1.6. The search function is allowing users without access to libraries to see the results of the restricted libraries. However, on other apps such as web browser and android, the access controls are working as expected. To Reproduce Search for something you are not supposed to have access to. Server: Ubuntu 20.04 Jellyfin.Server 10.8.7.0 Client: Roku Jellyfin 1.6 ### Jellyfin Version 10.8.0 ### if other: 10.8.7.0 ### Environment ```markdown - OS: Ubuntu 20.04 - Virtualization: Xen - Clients: Roku Jellyfin 1.6 ``` ### Jellyfin logs _No response_ ### FFmpeg logs _No response_ ### Please attach any browser or client logs here _No response_ ### Please attach any screenshots here _No response_ ### Code of Conduct - [X] I agree to follow this project's Code of Conduct

backuprepo added the

security

bug

labels 2025-12-21 23:51:17 +01:00

backuprepo commented 2025-12-21 23:51:18 +01:00

Author

Owner

Copy link

@VideoFX commented on GitHub (Nov 12, 2022):

Maybe the reason, or related security issue: https://github.com/jellyfin/jellyfin/issues/8718

@VideoFX commented on GitHub (Nov 12, 2022): Maybe the reason, or related security issue: https://github.com/jellyfin/jellyfin/issues/8718

backuprepo commented 2025-12-21 23:51:20 +01:00

Author

Owner

Copy link

@anthonylavado commented on GitHub (Jan 8, 2023):

Looks like the latest release of 10.8.8 had at least a partial fix of this issue. I believe the only thing it doesn't cover is Live TV. Can you check and see if it's working as expected?

@anthonylavado commented on GitHub (Jan 8, 2023): Looks like the latest release of 10.8.8 had at least a partial fix of this issue. I believe the only thing it doesn't cover is Live TV. Can you check and see if it's working as expected?

backuprepo commented 2025-12-21 23:51:23 +01:00

Author

Owner

Copy link

@VideoFX commented on GitHub (Jan 8, 2023):

I can confirm it is not working. The new version still leaks search results for movies, and access restrictions are still circumvented. It is most easily observed when using the Jellyfin roku app (which I was told uses the api slightly differently compared to the web version). However, access restriction works for the web version. I never observed a problem with access restrictions when using web browser.

@VideoFX commented on GitHub (Jan 8, 2023): I can confirm it is not working. The new version still leaks search results for movies, and access restrictions are still circumvented. It is most easily observed when using the Jellyfin roku app (which I was told uses the api slightly differently compared to the web version). However, access restriction works for the web version. I never observed a problem with access restrictions when using web browser.

backuprepo commented 2025-12-21 23:51:25 +01:00

Author

Owner

Copy link

@StevenAlexander44 commented on GitHub (Jan 25, 2023):

Still an issue in 10.8.9

@StevenAlexander44 commented on GitHub (Jan 25, 2023): Still an issue in 10.8.9

backuprepo commented 2025-12-21 23:51:26 +01:00

Author

Owner

Copy link

@surepointit commented on GitHub (Feb 17, 2023):

Can confirm same issue here.

Roku app 1.6 build 3

Jellyfin server 10.8.9

@surepointit commented on GitHub (Feb 17, 2023): Can confirm same issue here. Roku app 1.6 build 3 Jellyfin server 10.8.9

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/ci-deps

release-10.11.z

renovate/major-swashbuckle-aspnetcore-monorepo

renovate/svg.skia-3.x

explicit-load-v2

explicit-load

renovate/skiasharp-monorepo

only-count-folder-item

openapi-cache

release-10.10.z

release-10.9.z

feature/entity-framework

release-10.8.z

release-10.7.z

EraYaN-add-management-interface

release-10.6.z

release-10.5.z

release-10.4.z

release-10.3.z

release-10.2.z

release-10.1.0

v10.11.6

v10.11.5

v10.11.4

v10.11.3

v10.11.2

v10.11.1

v10.11.0

v10.11.0-rc9

v10.11.0-rc8

v10.11.0-rc7

v10.11.0-rc6

v10.11.0-rc5

v10.11.0-rc4

v10.11.0-rc3

v10.11.0-rc2

v10.11.0-rc1

v10.10.7

v10.10.6

v10.10.5

v10.10.4

v10.10.3

v10.10.2

v10.10.1

v10.10.0

v10.9.11

v10.9.10

v10.9.9

v10.9.8

v10.9.7

v10.9.6

v10.9.5

v10.9.4

v10.9.3

v10.9.2

v10.9.1

v10.9.0

v10.8.13

v10.8.12

v10.8.11

v10.8.10

v10.8.9

v10.8.8

v10.8.7

v10.8.6

v10.8.5

v10.8.4

v10.8.3

v10.8.2

v10.8.1

v10.8.0

v10.8.0-beta3

v10.8.0-beta2

v10.8.0-beta1

v10.8.0-alpha5

v10.8.0-alpha4

v10.8.0-alpha3

v10.8.0-alpha2

v10.8.0-alpha1

v10.7.7

v10.7.6

v10.7.5

v10.7.4

v10.7.3

v10.7.2

v10.7.1

v10.7.0

v10.7.0-rc4

v10.7.0-rc3

v10.7.0-rc2

v10.7.0-rc1

v10.6.4

v10.6.3

v10.6.2

v10.6.1

v10.6.0

v10.5.5

v10.5.4

v10.5.3

v10.5.2

v10.5.1

v10.5.0

v10.4.3

v10.4.2

v10.4.1

v10.4.0

v10.3.7

v10.3.6

v10.3.5

v10.3.4

v10.3.3

v10.3.2

v10.3.1

v10.3.0

v10.3.0-rc2

v10.3.0-rc1

v10.2.2

v10.2.1

v10.2.0

v10.1.0

v10.0.1

v10.0.0

v10.0.2

v3.5.2-5

Labels

Clear labels   

area:database

  

awaiting-feedback

  

backend

  

blocked

  

breaking change: web api

  

bug

  

build

  

ci

  

confirmed

  

discussion needed

  

dotnet future

  

downstream

  

duplicate

  

EFjellyfin.db

  

enhancement

  

feature

  

future

  

github-actions

  

good first issue

  

hdr

  

help wanted

  

invalid

  

investigation

  

librarydb

  

live-tv

  

lyrics

  

media playback

  

music

  

needs testing

  

nuget

  

performance

  

platform

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

regression

  

release critical

  

requires-web

  

roadmap

  

security

  

security

  

stale

  

support

  

syncplay

  

ui & ux

  

upstream

  

wontfix

No labels

area:database

awaiting-feedback

backend

blocked

breaking change: web api

bug

build

ci

confirmed

discussion needed

dotnet future

downstream

duplicate

EFjellyfin.db

enhancement

feature

future

github-actions

good first issue

hdr

help wanted

invalid

investigation

librarydb

live-tv

lyrics

media playback

music

needs testing

nuget

performance

platform

pull-request

question

regression

release critical

requires-web

roadmap

security

security

stale

support

syncplay

ui & ux

upstream

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#4349

No description provided.