Plex Media Server Token Mismanagement Vulnerability Allowing Privilege Escalation

A vulnerability in Plex Media Server in versions through 1.42.2.10156 allows improper access to account details via the '/myplex/account' endpoint. This issue arises because the server owner’s administrative access token is exposed to authenticated non-owner users, enabling unauthorized access and privilege escalation within the Plex platform. Additionally, unpatched token management issues persist, allowing for transient tokens to be escalated to permanent access tokens and exposing device tokens that can impersonate users or devices on the owner's account.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the server owner's account, including administrative privileges, and allow impersonation of other users or devices shared with the owner. This could facilitate a broader compromise across multiple Plex servers.

Reproduction

To reproduce this vulnerability, authenticate as a non-owner user with access to a shared Plex server. Extract the access token from network requests using browser developer tools. Then, send a GET request to the '/myplex/account' endpoint, including the user token. The response will contain the owner's administrative token, which can be used to access additional servers via the Plex.tv API, potentially chaining the exploitation across multiple servers.

Remediation

Users can update to Plex Media Server version 1.42.1 or later, where this vulnerability has been patched. However, be aware that some token management issues remain unaddressed.