starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-01-23 23:20:51 +01:00
Code Issues 725 Projects Packages Wiki Activity Actions 2

Able to create Admin user with empty password #6407

New issue
Open
opened 2025-12-22 04:12:22 +01:00 by backuprepo · 1 comment
backuprepo commented 2025-12-22 04:12:22 +01:00
Owner
Copy link

Originally created by @LePips on GitHub (Oct 31, 2024).

This issue respects the following points:

  • This is a bug, not a question or a configuration issue; Please visit our forum or chat rooms first to troubleshoot with volunteers, before creating a report. The links can be found here.
  • This issue is not already reported on GitHub (I've searched it).
  • I'm using an up to date version of Jellyfin Server stable, unstable or master; We generally do not support previous older versions. If possible, please update to the latest version before opening an issue.
  • I agree to follow Jellyfin's Code of Conduct.
  • This report addresses only a single issue; If you encounter multiple issues, kindly create separate reports for each one.

Description of the bug

The server has moved to forbidding admin users with empty passwords when changing user passwords, however you can create a user that isn't an admin with an empty password and then make them an admin.

Tested on 10.9 and 10.10.

Reproduction steps

1 - Create normal user with empty password
2 - Update user policy IsAdministrator to true, or Allow this user to manage the server in web
3 - Now user with empty password is admin

What is the current bug behavior?

An admin with empty password is allowed.

What is the expected correct behavior?

Probably an error, but I am honestly unsure of how to properly check this condition without looking at the password on server.

Jellyfin Server version

10.10.0+

Specify commit id

No response

Specify unstable release number

No response

Specify version number

No response

Specify the build version

10.10.0

Environment

N/A, is API issue.

Jellyfin logs

Get 200 🤷

FFmpeg logs

No response

Client / Browser logs

No response

Relevant screenshots or videos

No response

Additional information

No response

Originally created by @LePips on GitHub (Oct 31, 2024). ### This issue respects the following points: - [x] This is a **bug**, not a question or a configuration issue; Please visit our forum or chat rooms first to troubleshoot with volunteers, before creating a report. The links can be found [here](https://jellyfin.org/contact/). - [x] This issue is **not** already reported on [GitHub](https://github.com/jellyfin/jellyfin/issues?q=is%3Aopen+is%3Aissue) _(I've searched it)_. - [x] I'm using an up to date version of Jellyfin Server stable, unstable or master; We generally do not support previous older versions. If possible, please update to the latest version before opening an issue. - [x] I agree to follow Jellyfin's [Code of Conduct](https://jellyfin.org/docs/general/community-standards.html#code-of-conduct). - [x] This report addresses only a single issue; If you encounter multiple issues, kindly create separate reports for each one. ### Description of the bug The server has moved to forbidding admin users with empty passwords when changing user passwords, however you can create a user that isn't an admin with an empty password and _then_ make them an admin. Tested on 10.9 and 10.10. ### Reproduction steps 1 - Create normal user with empty password 2 - Update user policy `IsAdministrator` to true, or `Allow this user to manage the server` in web 3 - Now user with empty password is admin ### What is the current _bug_ behavior? An admin with empty password is allowed. ### What is the expected _correct_ behavior? Probably an error, but I am honestly unsure of how to properly check this condition without looking at the password on server. ### Jellyfin Server version 10.10.0+ ### Specify commit id _No response_ ### Specify unstable release number _No response_ ### Specify version number _No response_ ### Specify the build version 10.10.0 ### Environment N/A, is API issue. ### Jellyfin logs Get 200 :shrug: ### FFmpeg logs _No response_ ### Client / Browser logs _No response_ ### Relevant screenshots or videos _No response_ ### Additional information _No response_
backuprepo added the
security
confirmed
bug
 labels 2025-12-22 04:12:22 +01:00
backuprepo commented 2025-12-22 04:12:24 +01:00
Author
Owner
Copy link

@nielsvanvelzen commented on GitHub (Oct 31, 2024):

The server does know when a password is empty, so returning an error is possible.

@nielsvanvelzen commented on GitHub (Oct 31, 2024): The server does know when a password is empty, so returning an error is possible.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/ci-deps
release-10.11.z
renovate/major-swashbuckle-aspnetcore-monorepo
renovate/svg.skia-3.x
explicit-load-v2
explicit-load
renovate/skiasharp-monorepo
only-count-folder-item
openapi-cache
release-10.10.z
release-10.9.z
feature/entity-framework
release-10.8.z
release-10.7.z
EraYaN-add-management-interface
release-10.6.z
release-10.5.z
release-10.4.z
release-10.3.z
release-10.2.z
release-10.1.0
v10.11.6
v10.11.5
v10.11.4
v10.11.3
v10.11.2
v10.11.1
v10.11.0
v10.11.0-rc9
v10.11.0-rc8
v10.11.0-rc7
v10.11.0-rc6
v10.11.0-rc5
v10.11.0-rc4
v10.11.0-rc3
v10.11.0-rc2
v10.11.0-rc1
v10.10.7
v10.10.6
v10.10.5
v10.10.4
v10.10.3
v10.10.2
v10.10.1
v10.10.0
v10.9.11
v10.9.10
v10.9.9
v10.9.8
v10.9.7
v10.9.6
v10.9.5
v10.9.4
v10.9.3
v10.9.2
v10.9.1
v10.9.0
v10.8.13
v10.8.12
v10.8.11
v10.8.10
v10.8.9
v10.8.8
v10.8.7
v10.8.6
v10.8.5
v10.8.4
v10.8.3
v10.8.2
v10.8.1
v10.8.0
v10.8.0-beta3
v10.8.0-beta2
v10.8.0-beta1
v10.8.0-alpha5
v10.8.0-alpha4
v10.8.0-alpha3
v10.8.0-alpha2
v10.8.0-alpha1
v10.7.7
v10.7.6
v10.7.5
v10.7.4
v10.7.3
v10.7.2
v10.7.1
v10.7.0
v10.7.0-rc4
v10.7.0-rc3
v10.7.0-rc2
v10.7.0-rc1
v10.6.4
v10.6.3
v10.6.2
v10.6.1
v10.6.0
v10.5.5
v10.5.4
v10.5.3
v10.5.2
v10.5.1
v10.5.0
v10.4.3
v10.4.2
v10.4.1
v10.4.0
v10.3.7
v10.3.6
v10.3.5
v10.3.4
v10.3.3
v10.3.2
v10.3.1
v10.3.0
v10.3.0-rc2
v10.3.0-rc1
v10.2.2
v10.2.1
v10.2.0
v10.1.0
v10.0.1
v10.0.0
v10.0.2
v3.5.2-5
Labels
Clear labels   
area:database

   
awaiting-feedback

   
backend

   
blocked

   
breaking change: web api

   
bug

   
build

   
ci

   
confirmed

   
discussion needed

   
dotnet future

   
downstream

   
duplicate

   
EFjellyfin.db

   
enhancement

   
feature

   
future

   
github-actions

   
good first issue

   
hdr

   
help wanted

   
invalid

   
investigation

   
librarydb

   
live-tv

   
lyrics

   
media playback

   
music

   
needs testing

   
nuget

   
performance

   
platform

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
regression

   
release critical

   
requires-web

   
roadmap

   
security

   
security

   
stale

   
support

   
syncplay

   
ui & ux

   
upstream

   
wontfix
No labels
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
EFjellyfin.db
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#6407
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?