• Login
  • Register
  • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below
  • Forum
  • Website
  • GitHub
  • Status
  • Translation
  • Features
  • Team
  • Rules
  • Help
  • Feeds
User Links
  • Login
  • Register
  • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below

    Useful Links Forum Website GitHub Status Translation Features Team Rules Help Feeds
    Jellyfin Forum Support General Questions Is quick start supposed to launch every time you access Jellyfin from a new browser?

     
    • 0 Vote(s) - 0 Average

    Is quick start supposed to launch every time you access Jellyfin from a new browser?

    Dorca
    Offline

    Junior Member

    Posts: 2
    Threads: 1
    Joined: 2024 Aug
    Reputation: 0
    Country:United States
    #1
    2024-08-29, 02:01 AM
    Greetings!

    I'll start by saying Jellyfin is my first big personal tech project, and I've been having a blast with it. It's been awesome for doing movie nights with my friends on the other side of the country that I can't hang out with in person anymore. However, it's come to my attention that any time I share the server with a friend, it takes them directly to quick start where they can make an admin account. I already have accounts made up for the people that I share it with, and I don't want them to have admin access. I don't see anything in the settings that would alter that functionality. After they access it for the first time, it works as intended. This is also concerning to me though, because it means that anyone who could theoretically stumble across my IP could get admin access without me knowing anything about it.

    If it makes a difference, I am using caddy for a reverse proxy with a duckdns subdomain.
    TheDreadPirate
    Offline

    Community Moderator

    Posts: 15,374
    Threads: 10
    Joined: 2023 Jun
    Reputation: 460
    Country:United States
    #2
    2024-08-29, 02:23 AM
    Can you describe your setup more? What OS? What install method for Jellyfin did you use?

    And can you share your jellyfin logs via pastebin.
    Jellyfin 10.10.7 (Docker)
    Ubuntu 24.04.2 LTS w/HWE
    Intel i3 12100
    Intel Arc A380
    OS drive - SK Hynix P41 1TB
    Storage
        4x WD Red Pro 6TB CMR in RAIDZ1
    [Image: GitHub%20Sponsors-grey?logo=github]
    Dorca
    Offline

    Junior Member

    Posts: 2
    Threads: 1
    Joined: 2024 Aug
    Reputation: 0
    Country:United States
    #3
    2024-08-29, 03:55 AM
    Nevermind, I got it worked out. It seems to have something to do with having it set up so that all of the accounts have a manual login and don't show up at the login screen. Once I changed that, everything worked correctly. Sorry to waste your time with it!
    JaggedJax
    Offline

    Junior Member

    Posts: 2
    Threads: 0
    Joined: 2025 May
    Reputation: 0
    Country:United States
    #4
    2025-05-13, 05:14 PM
    I have this problem too. I had no idea my JellyFin server was wide open for anyone to setup admin access to! It is weird that this is allowed.

    I already have my admin user setup and this issue started happening when I added additional users. Accessing the Jellyfin URL when not logged in was showing the setup wizard!

    Disabling the "Hide this user from login screens" option for all users did not fix the issue for me. This must be a security bug, there's no way it should be letting anyone take over my server. It's like some internal "Server Setup" flag isn't properly set so the server is still trying to perform the Wizard again.


    OS: Ubuntu Linux
    Install method: Debian repo
    Logs: Not showing anything other than video play content. Nothing login or app related at all.

    Wizard shown when accessing Jellyfin from web browser while logged out (even though this is a fully setup server!)
    [Image: qySZIKO.png]
    Clicking Next shows an admin user setup screen!!!
    [Image: xV0H146.png]
    But I am already an admin and have already setup a second user.
    [Image: jPLMaPg.png]
    JaggedJax
    Offline

    Junior Member

    Posts: 2
    Threads: 0
    Joined: 2025 May
    Reputation: 0
    Country:United States
    #5
    2025-05-13, 05:31 PM
    UPDATE:
    I found that in /etc/jellyfin/system.xml the IsStartupWizardCompleted value was set to false. I have no clue how that got reset and it is scary that can happen and open the server wide up. It feels like there should be more protections against that. Could some update have caused it? Or maybe there was an error on the initial setup and it never was properly set? Maybe there should be a big warning in the admin page if that's still false with a way to mark it as completed?
    0konomiyaki
    Offline

    Junior Member

    Posts: 1
    Threads: 0
    Joined: 2025 Jun
    Reputation: 0
    Country:Australia
    #6
    2025-06-04, 10:56 AM
    Made an account just to note that I found the same with IsStartupWizardCompleted being set to false. Was very confused when this started happening.
    M B
    Offline

    Junior Member

    Posts: 4
    Threads: 1
    Joined: 2025 Jun
    Reputation: 0
    #7
    2025-06-08, 09:16 AM
    I have the same issue, but my biggest concern is that even if IsStartupWizardCompleted is set to true, I can still open wizard http://server:8097/web/#/wizardstart.html and reset the admin passwords any time.
    I think it is a very big security issue.
    I-G-1-1
    Offline

    Junior Member

    Posts: 18
    Threads: 2
    Joined: 2023 Jun
    Reputation: 0
    #8
    2025-06-08, 01:15 PM
    If I manually open the wizard with the link http://server:8096/web/#/wizardstart.html I get a rotating circle and I cannot select any language or click to go ahead to reset anything. Seems secure to me.
    theguymadmax
    Offline

    Community Moderator

    Posts: 1,142
    Threads: 0
    Joined: 2024 Jun
    Reputation: 60
    #9
    2025-06-08, 02:16 PM
    (2025-06-08, 09:16 AM)M B Wrote: I have the same issue, but my biggest concern is that even if IsStartupWizardCompleted is set to true, I can still open wizard http://server:8097/web/#/wizardstart.html and reset the admin passwords any time.
    I think it is a very big security issue.

    That's because you are you'll re-logging in from a browser that remembers a session with the admin account. This topic has already been brought up and debunked by the Dev team. https://github.com/jellyfin/jellyfin-web/issues/6486
    Efficient_Good_5784
    Offline

    Community Moderator

    Posts: 1,170
    Threads: 3
    Joined: 2023 Jun
    Reputation: 50
    #10
    2025-06-08, 02:45 PM (This post was last modified: 2025-06-08, 02:48 PM by Efficient_Good_5784. Edited 1 time in total.)
    You can read through the github repo that @theguymadmax linked above to get a better understanding of this topic.

    Yes you can access the startup wizard, but anyone that's not an admin will not be able to do anything with it. It will just endlessly load for non-admins.

    As the last post in that github issue thread states, a fix has been merged that will prevent the startup wizard from ever loading if "IsStartupWizardCompleted" is set to true in the config files.
    You will still be able to open it if it's set to false though.
    « Next Oldest | Next Newest »

    Users browsing this thread: 2 Guest(s)


    • View a Printable Version
    • Subscribe to this thread
    Forum Jump:

    Home · Team · Help · Contact
    © Designed by D&D - Powered by MyBB
    L


    Jellyfin

    The Free Software Media System

    Linear Mode
    Threaded Mode