Plex Media Server: Unpatched Access Vulnerabilities Remain

In August, developers closed a security vulnerability in Plex Media Server. However, access security leaks reported shortly thereafter have apparently not yet been fixed. Users should therefore restrict access options as a precaution.

In vulnerability reports published over the weekend, developer Luis Finke points out that while the authentication vulnerability CVE-2025-34158 (CVSS 8.5, risk "high") was closed with version 1.42.1 of Plex Media Server in August. However, flanking security vulnerabilities in access token management remain open and pose a risk. They enable persistent unauthorized access, privilege escalation, and create problems when revoking compromised credentials.

The most serious issue is a vulnerability in Plex Media Server up to and including the current version 1.42.2.10156 from September, through which attackers can obtain a permanent access token by calling "/myplex/account" with a temporary access token (CVE-2025-69414, CVSS 8.5, risk "high"). A similar call, but with a device token, does not correctly check whether the device is linked to an account at all (CVE-2025-69415, CVSS 7.1, risk "high").

Vulnerabilities in plex.tv backend

Two further security vulnerabilities affect the plex.tv backend up to and including the version from 31.12.2025. A non-server device token can intercept other tokens from "clients.plex.tv/devices.xml" intended for other accesses (CVE-2025-69416, CVSS 5.0, risk "medium"). The same can be achieved via a "shared_servers" API endpoint (CVE-2025-69417, CVSS 5.0, risk "medium").

Since no updates are yet available to fix the partly high-risk security vulnerabilities, Plex users should restrict access to the server to trusted addresses.

(dmk)