{"id":"CVE-2023-26269","details":"Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\n\nAdministrators are advised to disable JMX, or set up a JMX password.\n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users.","aliases":["GHSA-w7r6-v4j7-h94w"],"modified":"2026-04-12T06:36:56.698555Z","published":"2023-04-03T08:15:07.087Z","related":["CGA-g999-cr99-m3w9"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/04/18/3"},{"type":"ARTICLE","url":"https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/james-project","events":[{"introduced":"0"},{"fixed":"83f8707cf451537540a876ebcb932559c89f3e87"}],"database_specific":{"cpe":"cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"3.7.4"}],"source":"CPE_FIELD"}}],"versions":["cassandra_migration_v1_to_v2","james-project-3.0-beta5","james-project-3.0.0","james-project-3.0.0-RC1","james-project-3.0.0-beta5","james-project-3.3.0","james-project-3.4.0","james-project-3.7.0","james-project-3.7.1","james-project-3.7.2","james-project-3.7.3","pre-3.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-26269.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}