Emby Server allows attackers to gain administrative server access without preconditions
Description
Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Emby Server versions below 4.9.1.81 allow unauthenticated attackers to gain full administrative access over the server.
Vulnerability
The vulnerability in Emby Server versions prior to 4.9.1.81 permits an unauthenticated attacker to gain full administrative access to the Emby Server's web interface. The root cause lies in an API endpoint that fails to properly enforce authentication or authorization checks, enabling privilege escalation without any prerequisites beyond network connectivity [1][2].
Exploitation
Exploitation requires only network access to the server; no prior authentication or user interaction is needed. The attack likely involves the password reset functionality, as indicated by the workaround of restricting access to the passwordreset.txt file [2]. An attacker can directly call the vulnerable API to obtain administrative privileges.
Impact
Successful exploitation grants the attacker complete control over the Emby Server administration, allowing actions such as modifying server settings, managing users, and accessing media libraries. The vulnerability does not extend to the underlying operating system, limiting direct OS compromise [1].
Mitigation
The vulnerability is fixed in Emby Server version 4.9.1.81. A temporary workaround involving restrictive file permissions on passwordreset.txt is now obsolete as the patch supersedes this mitigation. Users are strongly advised to update their servers immediately [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MediaBrowser.Server.CoreNuGet | < 4.9.1.81 | 4.9.1.81 |
Affected products
3- Range: 3.2.31, 3.2.32.0, 3.2.33.0, …
- Range: < 4.9.1.81
- Range: < 4.9.1.81
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-95fv-5gfj-2r84ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64113ghsaADVISORY
- github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.