CVE-2023-26269

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user.

Administrators are advised to disable JMX, or set up a JMX password.

Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Published: Apr 3, 2023
Updated: May 4, 2025
CVE: CVE-2023-26269
GHSA: GHSA-w7r6-v4j7-h94w
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
apache / james	-	3.7.4
org.apache.james / javax-mail-extension	-	3.7.4

http://www.openwall.com/lists/oss-security/2023/04/18/3
https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs

Vulnerability Database

289,697

CVE-2023-26269