CVE-2025-69414
Unauthorized Access Token Disclosure in Plex Media Server via API
Publication date: 2026-01-02
Last updated on: 2026-02-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plex | media_server | to 1.42.2.10156 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Plex Media Server (PMS) through version 1.42.2.10156 allows an attacker to retrieve a permanent access token by making a /myplex/account call using a transient access token. This means that with limited access, an attacker can escalate privileges by obtaining a token that grants long-term access.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to user accounts or media content because an attacker can obtain a permanent access token from a transient one. This can result in compromised confidentiality and integrity of user data, potentially allowing attackers to access or manipulate media server content without permission.