CVE-2024-25420
Description
CVE-2024-25420 allows privilege escalation in Openfire before 4.8.1 because deleted admin usernames persist in the admin.authorizedJIDs property, enabling a new user with the same name to inherit admin rights.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-25420 allows privilege escalation in Openfire before 4.8.1 because deleted admin usernames persist in the admin.authorizedJIDs property, enabling a new user with the same name to inherit admin rights.
Vulnerability
Analysis
CVE-2024-25420 is an improper access control vulnerability in Ignite Realtime Openfire versions prior to 4.8.1. The root cause is that when an administrative user is deleted from the system, their username remains stored in the admin.authorizedJIDs system property. This property is used to grant administrative privileges based on saved JIDs (Jabber IDs) [2]. The flaw exists because the cleanup routine does not remove entries from this property upon deletion, leaving stale references that can be reused.
Exploitation
An attacker can exploit this vulnerability by registering a new XMPP user account using the same username as a previously deleted administrator. Because the username is still present in admin.authorizedJIDs, the newly created account automatically inherits administrative privileges without requiring any additional administrative approval. Crucially, the new user can be created through standard XMPP registration endpoints, which do not require administrative access, making the attack path low privilege and remotely exploitable [2].
Impact
Successful exploitation allows a remote attacker to gain full administrative control over the Openfire server. With administrator privileges, an attacker can access the web administration console, manage users, read or modify server configuration, and potentially execute arbitrary code through plugin installation or other administrative features. This represents a complete compromise of the XMPP server's confidentiality, integrity, and availability.
Mitigation
The vulnerability is fixed in Openfire version 4.8.1. Organizations using affected versions should upgrade immediately. No official workaround is documented, but administrators can manually audit and remove stale entries from the admin.authorizedJIDs system property via the admin console or database, though this is not a complete solution as the underlying flaw remains [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.igniterealtime.openfire:xmppserverMaven | < 4.8.1 | 4.8.1 |
Affected products
2- Ignite Realtime/Openfiredescription
Patches
26f4eb4c639ddMerge pull request #2447 from akrherz/481
9 files changed · +50 −9
distribution/pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <parent> <artifactId>parent</artifactId> <groupId>org.igniterealtime.openfire</groupId> - <version>4.8.1-SNAPSHOT</version> + <version>4.8.1</version> </parent> <modelVersion>4.0.0</modelVersion>
i18n/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <artifactId>parent</artifactId> <groupId>org.igniterealtime.openfire</groupId> - <version>4.8.1-SNAPSHOT</version> + <version>4.8.1</version> </parent> <artifactId>i18n</artifactId> <name>Internationalization files for Openfire</name>
plugins/openfire-plugin-assembly-descriptor/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.igniterealtime.openfire</groupId> - <version>4.8.1-SNAPSHOT</version> + <version>4.8.1</version> </parent> <groupId>org.igniterealtime.openfire.plugins</groupId> <artifactId>openfire-plugin-assembly-descriptor</artifactId>
plugins/pom.xml+2 −2 modified@@ -2,7 +2,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.igniterealtime.openfire</groupId> - <version>4.8.1-SNAPSHOT</version> + <version>4.8.1</version> <artifactId>plugins</artifactId> <packaging>pom</packaging> <name>Openfire Plugins</name> @@ -120,7 +120,7 @@ <plugin.name>${project.artifactId}</plugin.name> <!-- Versions --> - <openfire.version>4.8.1-SNAPSHOT</openfire.version> + <openfire.version>4.8.1</openfire.version> <!-- Note; the following jetty.version should be identical to the jetty.version in xmppserver/pom.xml --> <jetty.version>10.0.18</jetty.version> </properties>
pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <groupId>org.igniterealtime.openfire</groupId> <artifactId>parent</artifactId> - <version>4.8.1-SNAPSHOT</version> + <version>4.8.1</version> <name>Parent</name> <packaging>pom</packaging>
starter/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <artifactId>parent</artifactId> <groupId>org.igniterealtime.openfire</groupId> - <version>4.8.1-SNAPSHOT</version> + <version>4.8.1</version> </parent> <artifactId>starter</artifactId> <name>Starter for Openfire</name>
xmppserver/changelog.html+41 −0 modified@@ -160,6 +160,47 @@ <h1>Openfire Changelog</h1> <div id="pageBody"> +<h2>4.8.1 -- <span style="font-weight: normal;">March 2, 2024</span></h2> + +<h2>Improvement</h2> +<ul> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2651">OF-2651</a>] - Give explict names to Netty's threads</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2788">OF-2788</a>] - Have distinct thread pools for each type of connection</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2791">OF-2791</a>] - Announce support for PubSub delete-item</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2798">OF-2798</a>] - Admin Console should warn end-user if plugin installation failed</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2800">OF-2800</a>] - Guard against a surplus of database connection errors being logged</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2802">OF-2802</a>] - Upgrade postgresql database driver for CVE-2024-1597</li> +</ul> + +<h2>New Feature</h2> +<ul> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-284">OF-284</a>] - Add service administration support</li> +</ul> + +<h2>Bug</h2> +<ul> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2166">OF-2166</a>] - When deleting a user, remove it from transient MUC rooms</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2310">OF-2310</a>] - Cache data inconsistency: MUC</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2758">OF-2758</a>] - Deleting an admin user does not remove the name from \`admin.authorizedJIDs\`</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2768">OF-2768</a>] - Do not use default value for user's creation / last modified date</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2774">OF-2774</a>] - 4.8.0 not counting "whitespace ping" as session activity</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2775">OF-2775</a>] - RSS News Feed appears empty</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2777">OF-2777</a>] - Misbehaving Shared-With-Group option for Contact List sharing</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2778">OF-2778</a>] - Duplicate \(group\)chat messages are received</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2781">OF-2781</a>] - SerializableCache appears to be unusable \(ClassCastException on creation\)</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2782">OF-2782</a>] - SerializableCache instances do not get recreated on cluster switch</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2792">OF-2792</a>] - Cache-summary page shows wrong stats when using Clustering</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2795">OF-2795</a>] - Delete MUC-based authorization when deleting user</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2799">OF-2799</a>] - OccupantManager doesn't remove all items when clustering</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2805">OF-2805</a>] - Session details shows 'resource' column, but does not show resources</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2806">OF-2806</a>] - Routing Servers cache inconsistency doesn't list the missing items</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2807">OF-2807</a>] - Contact List \(Roster\) Sharing changes are not immediately applied</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2808">OF-2808</a>] - Stream Management Resume fails</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2809">OF-2809</a>] - Disabling client idle time breaks websockets</li> + <li>[<a href="https://igniterealtime.atlassian.net/browse/OF-2810">OF-2810</a>] - Resumed stream is no longer resumable</li> +</ul> + + <h2>4.8.0 -- <span style="font-weight: normal;">Jan 12, 2024</span></h2> <h2>Improvement</h2>
xmppserver/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>org.igniterealtime.openfire</groupId> <artifactId>parent</artifactId> - <version>4.8.1-SNAPSHOT</version> + <version>4.8.1</version> </parent> <artifactId>xmppserver</artifactId> <name>Core XMPP Server</name>
xmppserver/src/main/java/org/jivesoftware/openfire/spi/XMPPServerInfoImpl.java+1 −1 modified@@ -39,7 +39,7 @@ public class XMPPServerInfoImpl implements XMPPServerInfo { private final Date startDate; - public static final Version VERSION = new Version(4, 8, 1, Version.ReleaseStatus.Alpha, -1 ); + public static final Version VERSION = new Version(4, 8, 1, Version.ReleaseStatus.Release, -1 ); /** * Simple constructor
5c022bfa82d7OF-2758: Remove admin flag when deleting user
1 file changed · +16 −1
xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java+16 −1 modified@@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2008 Jive Software, 2017-2019 Ignite Realtime Foundation. All rights reserved. + * Copyright (C) 2005-2008 Jive Software, 2017-2024 Ignite Realtime Foundation. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,8 +17,12 @@ import java.util.ArrayList; import java.util.List; +import java.util.Map; import org.jivesoftware.openfire.XMPPServer; +import org.jivesoftware.openfire.event.UserEventDispatcher; +import org.jivesoftware.openfire.event.UserEventListener; +import org.jivesoftware.openfire.user.User; import org.jivesoftware.util.SystemProperty; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -85,6 +89,17 @@ public static AdminManager getInstance() { private AdminManager() { // Load an admin provider. initProvider(ADMIN_PROVIDER.getValue()); + + UserEventDispatcher.addListener(new UserEventListener() { + @Override + public void userDeleting(final User user, final Map<String, Object> params) { + // OF-2758: Ensure that if a user is re-created with the same name, they're not automatically an admin. + removeAdminAccount(user.getUsername()); + } + + @Override public void userCreated(final User user, final Map<String, Object> params) {} + @Override public void userModified(final User user, final Map<String, Object> params) {} + }); } private static void initProvider(final Class clazz) {
Vulnerability mechanics
Root cause
"Deleting an admin user does not remove the corresponding JID from the admin.authorizedJIDs system property, leaving stale authorization entries."
Attack vector
An attacker who can create or control a user account that was previously listed in `admin.authorizedJIDs` can retain administrative privileges even after the original admin user is deleted from the system. Because the `admin.authorizedJIDs` property is not cleaned up when a user is removed, the stale JID entry continues to grant admin access. This allows a remote attacker to escalate privileges by exploiting the orphaned authorization entry [CWE-863].
Affected code
The vulnerability concerns the `admin.authorizedJIDs` system property, which stores the list of JIDs authorized for administrative access. The patch references issue OF-2758, which notes that deleting an admin user does not remove the name from `admin.authorizedJIDs`. The exact source file handling this property is not shown in the provided patches.
What the fix does
The provided patches only show version bump changes (4.8.1-SNAPSHOT to 4.8.1) and the changelog entry for OF-2758. The actual code fix that removes the deleted user's JID from `admin.authorizedJIDs` is not included in these patches. Based on the changelog, the fix ensures that when an admin user is deleted, their JID is also removed from the `admin.authorizedJIDs` system property, preventing stale authorization entries [patch_id=1640329].
Preconditions
- configThe target Openfire instance must be running version 4.8.0 or earlier (before the 4.8.1 fix).
- configA user account that was previously granted admin privileges via admin.authorizedJIDs must have been deleted without clearing the property entry.
- authThe attacker must be able to authenticate as or take over the JID that remains in the stale admin.authorizedJIDs entry.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-5xvc-rwv8-86p7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-25420ghsaADVISORY
- github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.javaghsaWEB
- github.com/igniterealtime/Openfire/commit/5c022bfa82d71d1710381ab395b100cdbcb8f310ghsaWEB
- github.com/igniterealtime/Openfire/pull/2411ghsaWEB
- github.com/igniterealtime/Openfire/releases/tag/v4.8.1ghsaWEB
- igniterealtime.atlassian.net/browse/OF-2758ghsaWEB
- www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421ghsaWEB
- www.igniterealtime.org/projects/openfireghsaWEB
- www.igniterealtime.org/projects/openfire/mitre
News mentions
0No linked articles in our index yet.