skippy_nz posted in the 2.5.5 announcement thread that he was able to bypass the security of iNEWA and go directly to the recordings list and delete shows without ever logging in. I tested it and first thought it was working fine, and reported same.
However, on further testing I now see the problem:
If the user goes to http://npvr:8866/mobile, it skips the login. I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad). This is obviously a pretty serious issue, though hopefully won't have any immediate consequence. I'm turning off external access to my NPVR box until this is fixed.