Plex Media Server
Moderate fix1 remedy
cpe:2.3:a:plex:media_server:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- ~1.41.7
- ~1.42.0
Plex Media Server Token Exposure Vulnerability Allowing Unauthorized Access to Share Tokens
Vulnerability
Patched
A vulnerability in the Plex Media Server backend can be exploited by non-server device tokens to retrieve share tokens through a shared_servers endpoint. This issue affects Plex Media Server versions prior to 2025-12-31.
Impact
Exploitation of this vulnerability allows unauthorized access to share tokens, which can be used to access resources or services shared with the Plex user.
Reproduction
The vulnerability can be reproduced by authenticating as a non-owner user with shared server access, extracting the access token from network requests, and then requesting the owner's administrative token via the '/myplex/account' endpoint. This owner token can be used to access additional servers and their owner tokens, creating a chain of exploitation.
Remediation
Users are advised to update to Plex Media Server version 1.42.1 or later, where this vulnerability has been patched.
Added: Jan 2, 2026, 5:21 PM
Updated: Jan 2, 2026, 5:21 PM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
5.0exploitability
6.8remediation
7.7relevance
1.8threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.