Remote control permissions allow server restart/shutdown via Shadfin for non-admin users #1
Description
I’m running Jellyfin on Windows and noticed that a non-admin user was able to restart the Jellyfin server using Shadfin, despite having no admin permissions in Jellyfin.
This persists even after:
Revoking all API keys
Logging out all users/devices
Confirming the user has no admin access
Confirming the user has no OS access to the server
The behavior appears to be tied to Jellyfin’s remote control / shared device permissions, not user admin permissions.
Individual was using inspect element on the admin page and was able to bypass the block.