I have seven users added as friends. Each of them has a dedicated plex user account. No one is in “My Home” except myself.
Each of these users can see each other users device in the Remote Devices list, connect to and control it. So if one the users is playing a movie on his device (doesn’t matter if FireTV, AndroidTV, Plex Web, Android, iOS) a different user can connect to his device and take over control, eg. stop the movie or play a different one.
Is that a known bug? When will get this serious bug fixed? Is there any workaround?
I see you have listed PMS version 1.1.4.2757 in you signature, is that still correct?
Also, where does one access the Remote Devices list, as the only device list I have seen is the one you access from Settings -> Devices and from that list I do not see Remote
No, I already use 1.2.2.2857 - with all these updates I didn’t had time to update my signature 
I mean the icon on the top right in Plex Web. The second one from the right, with the rectangle and “wifi bars”. In Plex Android there’s also the very same feature.
The green highlighted in the second screenshot is ChromeCast while the red highlighted is “PlexCast”. At the time I took the screenshot nobody else had Plex open so you only see my devices. But if someone else has Plex open (Web, Android, etc.) I can see it in my list and he can see my devices in his list. We both use different Plex Accounts and we aren’t even in the same network (10.0.4.x for me and 10.0.5.x for him). The PMS is available in both networks so that we both can access the server internally.
If the server is connected to both networks and is ‘local’ to both networks, then it is the server which is relaying Plex Companion commands. This is according to spec.
So it is normal that you see all plex clients which are ‘local’ to the server.
I assume you just extended the subnet mask on the server, so it includes both IP ranges, right?
Do you have anything put under
Settings - Server - Network - ‘List of IP addresses and networks that are allowed without auth’ ?
If that is really the case it would be really bad.
No, I did not extend the subnet mask. Because I seperate the different nextworks using VLAN I added the server to each network with a virtual NIC. It has eth0 (physical nic) which is connected to the management LAN and eth1 (physical one) but that is not connected. Instead eth1.4, eth1.5, etc. (virtual ones) are used to connect to the network.
That field is completely empty but I entered every network into the field “LAN Networks” so bandwidth restrictions do not apply.
What ever means you used to make this work: the fact remains that the server is present as a local server in both networks. Therefore the ‘remote control’ commands are relayed from one into the other subnet.
When the feature was designed, it was never imagined that someone could come up with an elaborate setup like you did.
The devs just searched for a way to make remote control work for all the plex clients who are not able to open a ‘network socket’ on their platform. And this was achieved with the relaying of remote control commands by the plex server.
Just imagine the server has six network ports and each of these is connected to a different physical network. The only difference is it’s just virtual. It’s an international standard, see Virtual LAN - Wikipedia 
I really like the PlexCast feature and that it is relayed through the server. I just have to request that this security hole gets fixed by simply checking for the logged in user of source and target. There is no need to change the underlying protocol, just a username filter has to be added.
