Craig Wright, a risk advisory services manager with accountancy giant BDO, said he could use an internet connection to meddle with the coffee machine to cause it to release too much hot water or too much coffee powder.
Writing on security mailing list BugTraq, he said he could also break the machine by tweaking its settings.
The attack is possible because two models of the machine, the Jura Impressa F90 and Jura Impressa F9, have internet connectivity.
Switzerland-based Jura manufactures glorified coffee makers that retail for over £1000.
Jura introduced internet connectivity to the machines so they can be mended remotely by engineers. It's believed to be the first espresso maker with that capability.
Wright said he thought the flaw could not be patched.
"Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on, at the level of the user," he said.
Wright added that he has now installed his machine behind a firewall.
In a statement, Jura claimed Wright was misinformed. It said: "The Internet Connectivity kit which can optionally be acquired... will at no time connect the coffee machine to the world wide web. Its settings can therefore only be changed by the machine's rightful owner. JURA systems do not allow hacker attacks."
Jura added that it would get in touch with Wright to resolve the matter.