Yeah that’s fair and I think that’s a good move, my point is just that people are acting like this is not feasible to exploit. I’m at the point in my exploit testing excursion where I have a script that can generate a stream of potential IDs based on real torrent names being parsed and reformatted using radarr’s default naming pattern as well as the commonly used trash guides ones permuted with some common library paths used in the default docker compose examples, and it’s turning up actual ID matches with my jellyfin instance. All I have left to do is make it create API requests to test the IDs against the unauthenticated API instead of checking an exported list and there’s a proof of concept. 5 years is a long time for someone to figure that out.