I’m running Jellyfin on Windows and noticed that a non-admin user was able to restart the Jellyfin server using Shadfin, despite having no admin permissions in Jellyfin.
This persists even after:
Revoking all API keys
Logging out all users/devices
Confirming the user has no admin access
Confirming the user has no OS access to the server
The behavior appears to be tied to Jellyfin’s remote control / shared device permissions, not user admin permissions.
Individual was using inspect element on the admin page and was able to bypass the block.
I’m running Jellyfin on Windows and noticed that a non-admin user was able to restart the Jellyfin server using Shadfin, despite having no admin permissions in Jellyfin.
This persists even after:
Revoking all API keys
Logging out all users/devices
Confirming the user has no admin access
Confirming the user has no OS access to the server
The behavior appears to be tied to Jellyfin’s remote control / shared device permissions, not user admin permissions.
Individual was using inspect element on the admin page and was able to bypass the block.