🚀 Jellyfin Server 10.11.7
We are pleased to announce the latest stable release of Jellyfin, version 10.11.7! This minor release brings several bugfixes to improve your Jellyfin experience. As alway...
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Edit: or make note of that on their several pages with reverse proxy configuration.
I mean I’m sure they’d like to just ship safe code in the first place. But if that’s not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I’d rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
there is just too much place in the codebase for vulnerabilities, and also, most projects like this are maintained by volunteers in their free time for free.
I guess if you set up an IP whitelist in the reverse proxy, or a client TLS certificate requirement, it’s fine to open it to the internet, but otherwise no.
If I say I custom rolled my own crypto and it’s designed to be deployed to the open web, and you inspect it and don’t see anything wrong, should you do it?
Jellyfin is young and still in heavy development. As time goes on, more eyes have seen it, and it’s been battle hardened, the security naturally gets stronger and the risk lower. I don’t agree that no one should ever host a public jellyfin server for all time, but for right now, it should be clear that you’re assuming obvious risk.
Technically there’s no real problem here. Just like with any vulnerability in any service that’s exposed in some way, as long as you update right now you’re (probably) fine. I just don’t want staying on top of it to be a full time job, so I limit my attack surface by using a VPN.
It responds to and serves content to unauthenticated requests. That’s sorta table stakes if you’re creating an authenticated web service and providing guides to set it up with a reverse proxy.
Ok, I misread what you were linking to. Yeah, that’s pretty bad to allow actual streaming of content to unauthed users. I agree they should not be encouraging anyone to set this up to be publicly accessible until those are fixed. Or at least add a warning.
I don’t care if someone finds my instance and manages to guess a random number to stream some random movie. Good for them I guess it would be easier to just download it themselves.
Agreed, was more so referring to others. I apologize if it seemed like I was referring to myself
I’m already well and truly deep into this, myself. Two Proxmox nodes running the *Arr stack and Jellyfin in LXC containers. Bare metal TrueNAS, with scheduled LTO backups every two weeks. A few other bits and bobs, like some game servers and home automation for family.
Will need to re-map everything eventually, it’s kind of grown out of hand
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
that’s a weird take. your grandmother doesn’t need to set up a VPN. It’s not like this is where they would get stuck, they would have problems much sooner with running their own Jellyfin. that’s why you are hosting it for them, and why you go there and set the VPN up yourself.
You only have to give them access to a specific port on a specific machine, not your entire LAN.
My VPN has a ‘media’ usergroup who can only access the, read-only, NFS exports of my media library.
If you’re just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.
yeah but even with plain wireguard the peers can be limited. you just have to figure out the firewall rules, or use opnsense as your wireguard server because it figures the harder part out for you.
it’s not that it cannot be done. the issue is that something as simple as acceding a service should not require to configure wire guard and routing rules. plenty of FOSS projects are safe to expose through a simple reverse proxy
Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.
They’ve stated that they have no intention of ever fixing some of the biggest “anyone can access your media without a login” vulnerabilities, because it would require completely divesting from the Kodi branch that they initially used to start the entire project. And they never plan on rebuilding that from scratch, so those vulnerabilities will never be fixed.
It depends if you’re using Pangolin for private access or public exposure.
NetBird is a clean replacement for headscale/tailscale, but if your using pangolin specifically for its public tunnel feature then you’d need to keep pangolin.
Mainly use pangolin for public access, I’m looking for something/somehow add authentication for pangolin while trying to access endpoint in apps where it’s not exactly possible to directly authenticate in pangolin
yeah. it did. took a bit. i used headscale initramfs with dropbear for my servers. Didnt find anything for netbird so i copied the headscale initram script and changed it for netbird. But all works now. I like it.
Its the only software project I know of that you can’t put behind http basic auth. They mark this bug as “wontfix” every time someone points it out to them
Ok, I’ll look it up anyway. Under the jellyfin repository, there were eight results, none of which seemed to describe what you meant, and under the jellyfin-web repository, there were none. Using a web crawler search, I was able to find Issue #123 for jellyfin-android
Unlike custom implemented logins. So it’s common to use basic auth in front of custom auth implementations. So even when the app has a login vuln, you’re safe.
Yes that ticket is one of many.
Try searching the repo. Make sure to backspace out the prefix that ignores closed tickets.
That’s exactly how I searched.
If you want security, it’s probably best to follow the Unix philosophy of do one thing and do it well. In other words, don’t trust someone building a media server to handle auth and instead use the OIDC or LDAP plugins.
…which still uses Jellyfin for authentication. The only difference is that instead of checking your password locally it is sent over the network via LDAP
Just did a cursory read of the commits related to security for this release, and my assumpion based solely on the changes, is that it’s not a remote-access vulnerability, but a supply-chain-esque vulnerability where a video you downloaded from a questionable source might trigger code embedded in the metadata to be run by jellyfin.
or use the ldap auth plugin with your source of truth, put it behind a reverse proxy, protect it with fail2ban and anubis. there are ways of exposing it safely.
you totally can use ldap or oidc it just requires more setup. you just ensure jellyfin and your source of truth talk on their own subnet, docker can manage it all for you. ldap can be setup to be ldaps with ssl and never even leave the docker subnet anyways.
and yes I suppose you could rely on whitelists, but you’d have to manually add to the whitelist for every user, and god forbid if someone is traveling.
The solution is mentioned already - use vpn, it will solve 90% of the problems that you can encounter. Also you can serve multiple other services this way without exposing them.
the usable information is information that’s so widely talked about in this community that they probably expected anyone who is reading this to know what they’re talking about.
clearly there are still people who have no experience self-hosting whatsoever that we should be considerate of.
Don’t expose jellyfin to the internet is a golden rule.
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Edit: or make note of that on their several pages with reverse proxy configuration.
Examples dating back over six years https://github.com/jellyfin/jellyfin/issues/5415
I mean I’m sure they’d like to just ship safe code in the first place. But if that’s not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I’d rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
there is just too much place in the codebase for vulnerabilities, and also, most projects like this are maintained by volunteers in their free time for free.
I guess if you set up an IP whitelist in the reverse proxy, or a client TLS certificate requirement, it’s fine to open it to the internet, but otherwise no.
If I say I custom rolled my own crypto and it’s designed to be deployed to the open web, and you inspect it and don’t see anything wrong, should you do it?
Jellyfin is young and still in heavy development. As time goes on, more eyes have seen it, and it’s been battle hardened, the security naturally gets stronger and the risk lower. I don’t agree that no one should ever host a public jellyfin server for all time, but for right now, it should be clear that you’re assuming obvious risk.
Technically there’s no real problem here. Just like with any vulnerability in any service that’s exposed in some way, as long as you update right now you’re (probably) fine. I just don’t want staying on top of it to be a full time job, so I limit my attack surface by using a VPN.
The original ticket is 2019. That’s 7 years ago.
It responds to and serves content to unauthenticated requests. That’s sorta table stakes if you’re creating an authenticated web service and providing guides to set it up with a reverse proxy.
Ok, I misread what you were linking to. Yeah, that’s pretty bad to allow actual streaming of content to unauthed users. I agree they should not be encouraging anyone to set this up to be publicly accessible until those are fixed. Or at least add a warning.
I don’t care if someone finds my instance and manages to guess a random number to stream some random movie. Good for them I guess it would be easier to just download it themselves.
Biggest worry is someone finding an uncaught RCE.
Of course plugins also have surface area.
We know they can anon pull video. You can sandbox it to limit exposure.
But if they modify the web client with an RCE, then you hit your own server as a trusted site and that delivers a payload…
deleted by creator
Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
However, a community member of the selfhosted community is perfectly capable of reading a manual and learning the software.
That’s how you become tech literate in the first place, and you’re already on that path if you’re commenting/reading here.
Agreed, was more so referring to others. I apologize if it seemed like I was referring to myself
I’m already well and truly deep into this, myself. Two Proxmox nodes running the *Arr stack and Jellyfin in LXC containers. Bare metal TrueNAS, with scheduled LTO backups every two weeks. A few other bits and bobs, like some game servers and home automation for family.
Will need to re-map everything eventually, it’s kind of grown out of hand
Look at Tailscale (or self-host headscale)
It’s a bit of learning (like all of these other things) but it’s a very powerful tool.
I do agree with the general point that Jellyfin shouldn’t require a VPN.
that’s a weird take. your grandmother doesn’t need to set up a VPN. It’s not like this is where they would get stuck, they would have problems much sooner with running their own Jellyfin. that’s why you are hosting it for them, and why you go there and set the VPN up yourself.
I was not actually presenting a scenario where my grandmother would use a VPN.
I was pointing out that this community is full of people who are perfectly capable of learning to use a VPN. In response to this comment:
That’s a true statement about ‘everyone’ i.e. the entire population of the planet… but true about everyone here in this community.
Isn’t it easier to set up a VPN than expose it to the internet?
and then you are giving access to your lan to people whose computer you don’t control and might be full of malware.
Tbh I forgot about giving access to others, my homelab is for me only lol
You only have to give them access to a specific port on a specific machine, not your entire LAN.
My VPN has a ‘media’ usergroup who can only access the, read-only, NFS exports of my media library.
If you’re just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.
yeah but even with plain wireguard the peers can be limited. you just have to figure out the firewall rules, or use opnsense as your wireguard server because it figures the harder part out for you.
it’s not that it cannot be done. the issue is that something as simple as acceding a service should not require to configure wire guard and routing rules. plenty of FOSS projects are safe to expose through a simple reverse proxy
I have my doubts about that. Personally I would never do that.
Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
It’s just not convenient enough
they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.
they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.
They’ve stated that they have no intention of ever fixing some of the biggest “anyone can access your media without a login” vulnerabilities, because it would require completely divesting from the Kodi branch that they initially used to start the entire project. And they never plan on rebuilding that from scratch, so those vulnerabilities will never be fixed.
They didn’t start the project from Kodi. It is a fork of Emby.
Y’all are assuming the security issue is something exploitable without authentication or has something to do with auth.
But it it could be a supply chain issue which a VPN won’t protect you from.
to be fair, Jellyfin had multiple unauthenticated vulnerabilities in the past so it makes sense to talk about it
The design of Jellyfin is really insecure
It isn’t a supply chain attack. If it was they would’ve disclosed it mmediately instead of waiting.
Yeah, i have my 30 docker containers behind Headscale (Tailscale).
NetBird is coming for you
I have been planning to check out Netbird for couple of days. Is it a good alternative for headscale and pangolin?
It depends if you’re using Pangolin for private access or public exposure.
NetBird is a clean replacement for headscale/tailscale, but if your using pangolin specifically for its public tunnel feature then you’d need to keep pangolin.
Mainly use pangolin for public access, I’m looking for something/somehow add authentication for pangolin while trying to access endpoint in apps where it’s not exactly possible to directly authenticate in pangolin
yeah. it did. took a bit. i used headscale initramfs with dropbear for my servers. Didnt find anything for netbird so i copied the headscale initram script and changed it for netbird. But all works now. I like it.
If only they would fix the htaccess bug
You’ve piqued my interest. Where can I read about it?
I did a quick search on their github and came up empty. Maybe no one mentioned “htaccess” in the issue.
Search for “basic auth”
Its the only software project I know of that you can’t put behind http basic auth. They mark this bug as “wontfix” every time someone points it out to them
Basic auth? The insecure authentication method?
Ok, I’ll look it up anyway. Under the jellyfin repository, there were eight results, none of which seemed to describe what you meant, and under the jellyfin-web repository, there were none. Using a web crawler search, I was able to find Issue #123 for jellyfin-android
Is that it?
Basic auth is very secure.
Unlike custom implemented logins. So it’s common to use basic auth in front of custom auth implementations. So even when the app has a login vuln, you’re safe.
Yes that ticket is one of many.
Try searching the repo. Make sure to backspace out the prefix that ignores closed tickets.
That’s exactly how I searched. If you want security, it’s probably best to follow the Unix philosophy of do one thing and do it well. In other words, don’t trust someone building a media server to handle auth and instead use the OIDC or LDAP plugins.
Utilize authelia perhaps?
Doesn’t work with TVs
ldap auth will work on tvs
But that’s basically using the same built-in auth. If there’s an auth bypass I don’t think it makes a difference.
not really. you can disable the default jellyfin login and force it to use ONLY ldap.
…which still uses Jellyfin for authentication. The only difference is that instead of checking your password locally it is sent over the network via LDAP
Don’t ever shit in your own house, either.
Just in case they’re watching.
I shit in my toilet
Just did a cursory read of the commits related to security for this release, and my assumpion based solely on the changes, is that it’s not a remote-access vulnerability, but a supply-chain-esque vulnerability where a video you downloaded from a questionable source might trigger code embedded in the metadata to be run by jellyfin.
or use the ldap auth plugin with your source of truth, put it behind a reverse proxy, protect it with fail2ban and anubis. there are ways of exposing it safely.
I still wouldn’t do it personally
deleted by creator
you totally can use ldap or oidc it just requires more setup. you just ensure jellyfin and your source of truth talk on their own subnet, docker can manage it all for you. ldap can be setup to be ldaps with ssl and never even leave the docker subnet anyways.
and yes I suppose you could rely on whitelists, but you’d have to manually add to the whitelist for every user, and god forbid if someone is traveling.
that’s nonsense. I do it myself and it works flawlessly, including on TVs.
So don’t use it outside your house? Pass
Nothing stops you from using it outside of your house.
I just love it when people post one sentence rebuttals without actually including any usable information what they are talking about.
Tailscale is a super easy vpn that gives you access to your home network from anywhere. And it’s free.
The solution is mentioned already - use vpn, it will solve 90% of the problems that you can encounter. Also you can serve multiple other services this way without exposing them.
the usable information is information that’s so widely talked about in this community that they probably expected anyone who is reading this to know what they’re talking about.
clearly there are still people who have no experience self-hosting whatsoever that we should be considerate of.
It kind of does. Whatever and yes I’m aware of the list people keep posting and I’ve looked at it.