CVE-2023-32315: Openfire Administration Console authentication bypass

We’ve had an important security issue reported that affects all recent versions of Openfire. We’ve fixed it in the newly published 4.6.8 and 4.7.5 releases. We recommend people upgrade as soon as possible. More info, including mitigations for those who cannot upgrade quickly, is available in this security advisory: CVE-2023-32315: Administration Console authentication bypass.

Related to this issue, we have also made available updates to three of our plugins:

If you’re using these plugins, it is recommended to update them immediately.

When you are using the REST API plugin, or any proprietary plugins, updating Openfire might affect availability of their functionality. Please find work-arounds in the security advisory.

If you have any questions, please stop by our community forum or our live groupchat.

For other release announcements and news follow us on Twitter and Mastodon.


:ok_hand:I have just upgraded containers to 4.7.5 So far so Good, congrats and respect for prompt efforts and reactive delivery as usual :slight_smile:
Will update ASAP all our Openfire concerned sites. Big Thanks to the igniterealtime team !!!


Thanks for the hard work!