Plex Media Server Token Exposure Vulnerability Allowing Unauthorized Access to Owner Tokens

A vulnerability in the Plex Media Server backend can be exploited to retrieve owner access tokens using non-server device tokens. This issue affects Plex Media Server versions through December 31, 2025. The vulnerability arises from improper token management, allowing unauthorized access to sensitive tokens via the Plex.tv API.

Impact

Exploitation of this vulnerability enables unauthorized users to access owner tokens, which can be used to gain full administrative rights on shared Plex servers. This access can be extended to other servers through the Plex.tv API, potentially compromising an entire network of interconnected Plex servers.

Reproduction

To reproduce this vulnerability, authenticate as a non-owner user with access to a shared Plex server. Extract the access token from network requests using browser developer tools. Then, send a request to the '/myplex/account' endpoint, including the extracted user token. The response will contain the owner's administrative token. This owner token can be used to access additional servers and repeat the process, chaining the exploitation across multiple servers.

Remediation

Plex Media Server has released a patch for the vulnerability allowing non-owner users to access owner tokens. However, issues related to token management persist, as revoked device tokens can still be accessed through alternative endpoints. It is recommended that Plex Media Server implement opt-in password protection for servers to enhance security.