CVE-2025-46388: Emby MediaBrowser - IDOR Exposing User Configurations and Pin Codes
Emby is a popular self-hosted media server platform used to organize, stream, and share personal media libraries across devices. It handles user authentication, access permissions, and sensitive media metadata, making its security posture critical.
Vulnerability Details
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (IDOR)
While officially classified under CWE-200, this vulnerability is a textbook Insecure Direct Object Reference (IDOR). The Emby MediaBrowser API uses the user’s UUID directly in the URL to fetch user data. There is no server-side validation to confirm the requesting user is authorized to access that specific profile.
The vulnerable endpoint follows this pattern:
GET /emby/Users/<UUID>/...
Any authenticated user can simply swap their own UUID with another user’s UUID in the request URL and gain full access to that user’s configuration, including their Pin code and account settings.
Requesting another user’s profile by changing the UUID in the URL - the server returns their full configuration including Pin code.
No privilege escalation needed. No special tokens. Just change the UUID and the server hands over everything.
A second user’s data accessed the same way - full configuration and Pin code exposed.
Impact
- Access any user’s configuration - Every user’s settings, preferences, and metadata are readable by any other authenticated user
- Pin code exposure - Pin codes meant to protect parental controls or restricted content are fully visible
- Account enumeration - An attacker can iterate through UUIDs to map out all users on the server
- Chaining potential - Combined with the unverified password change (CVE-2025-46389), an attacker can read a target’s data and then lock them out permanently
Advisory
- ILVN-ID: ILVN-2025-0236
- CVE-ID: CVE-2025-46388
- Affected Products: Emby MediaBrowser version 4.9.0.35
- Credit: Moriel Harush
- Solution: No info