CVE-2025-69417 MEDIUM

CVE-2025-69417

Vendor Plex

Product plex.tv backend

Weakness CWE-863 · Incorrect authorization

Published January 2, 2026

Last update January 2, 2026

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.

Key dates

02Disclosure timeline

January 2, 2026 CVE published

January 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-69417

Related vulnerabilities

04Related CVE

CVE-2026-32051 OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access CVE-2010-1435 CVE-2026-41325 Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection CVE-2026-35619 OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint CVE-2025-24421 Adobe Commerce | Incorrect Authorization (CWE-863)