Removed Plex User but they still have full access to Libraries

Server Version#: 1.31.2.6783
Player Version#: 4.102.1

Long time Plex Pass user. Running Plex via Unraid (docker). Remote access is turned on (working fine). I have a couple of Managed Users as well as a couple of Plex Users added to my Plex Home.

A couple years ago, I removed one of the Plex Users I had invited as they loved Plex so much, they decided to build their own machine and host their own content. He recently let me know he can see my PlexServer in the server listings under the “More” menu. What’s shocking is he can still stream from any of the libraries I originally allowed via his Plex account.

I have:

- Ensured his account does not exist in the Plex Home (either as Friend or Managed User)
- Deleted all “authorized” devices
- I have signed out, and signed back in (to all devices)
- He has signed out and signed back in
- We have both done a “reclaim” to our respective servers
- I have toggled “enable Guest” (to ensure its turned off)
- I have changed my ServerName
- I have “optimized” database and rebooted
- I have used SQLite and mounted the library.db. I have deleted his account from the accounts table (as well as references to his account in Metadata and Statistics)

None of those have made any difference. He is still able to:

See my Server and stream from libraries I originally shared… both remotely and on all his devices on his local LAN (connected to his local server). It is only his admin account that can see my context (not any of the Managed users he has created)

Our networks are not connected (via VPN or any other connection).

This feels like a security concern. Why would a removed user still have access to content? Is there something that would be connecting our Plex accounts, besides the actual Server configuration (ie. Billing accounts?).

Would really appreciate any support to have this corrected. Thanks!

I am betting he is still listed as a friend, and you shared your library with his account. Just go into your friends/sharing and edit what is shared with them

If I go to “Manage Library Access” and then “View All Friends”… I do have 2 friends listed, but not the user I removed as a Friend previously (that I’m describing above).

@ChuckPa any chance you can look at the backend here?

I see two Managed users and 3 shared users.

What should I see ?

Appreciate that. @ChuckPa the user account I’m trying to remove is: kimmy*****@…com

So there should only be 2 Managed Users and 2 Shared Users.

@willisdo

There is nothing on the backend.

When’s the last you restarted the server.

That will force restart the connection.

I sent you a PM of the users who currently have access.
Please advise

Account was removed in Plex backend (by Team Member). Issue resolved.

@ChuckPa does this mean theres a way to retain access after being unfriended ? Does it require plex team to handle or a server restart is enough?
edit: OP stated he did all standard security and troubleshooting practices. This seems very serious. Plz respond with general instruction thanks

Once the permission is revoked, no new connections can be made.
Restarting the server closes any existing streams.

I became involved to because something didn’t work right in his Plex/web - internet somewhere.

The case here was where the user was actively streaming.
Restart or him clicking “STOP” in the activity dashboard has the same effect and is enough.

I probably over reacted a bit and took him out of the backend when STOP in plex/web or Restart would have been enough.

OP wrote that he did Reboot and that he did remove user a couple of years ago. As an Unraid user he usually receives Plex Server updates every 14 days or so. This requires a container and Plex server restart as well.

In my opinion somethings missing here …

Agreed. Something is missing in this sequence of events.

In all the users who’ve revoked user permissions, this is the first case I’ve seen reported like this.

Should I have gathered more data from the OP – Yes.
I’m going to retest this all anyway to confirm it works as expected.

I will bring this up in tomorrow’s meeting as well.

EDIT:

With help of another employee who also happened to be awake at this crazy hour,

1. We pulled the history of the server
2. Looks like the server was accidentaly deleted & then recovered along the way.
3. This seems a one-of case, and not the norm, but will be resolved.

This sounds like a serious security hole.

@Havohej

Don’t go start calling something a major problem without knowing all the details.

I looked at the server’s audit logs.

UNdeleting (recovering) a deleted server is not a daily event.

A “One-Of” case does not constitute a general “serious security hole”

After everyone has reviewed what happened, THEN I’ll let you know what the findings are.

Oh man, oh man …

A one-of case is a one-of case until the day it is exploited, then it might not be a one-of case anymore.

Zero day vulnerabilities were probably one-of cases until they were published.

Anyway, I will patiently wait for your findings. Thanks in advance for keeping us informed.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.