CVE-2026-25767

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a	Patch
https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82	Patch
https://github.com/cloudamqp/lavinmq/pull/1670	Issue Tracking Patch
https://github.com/cloudamqp/lavinmq/pull/1687	Issue Tracking Patch
https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:84codes:lavinmq:*:*:*:*:*:*:*:*

History

20 Feb 2026, 18:35

Type	Values Removed	Values Added
References	~~() https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a -~~	() https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a - Patch
References	~~() https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82 -~~	() https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82 - Patch
References	~~() https://github.com/cloudamqp/lavinmq/pull/1670 -~~	() https://github.com/cloudamqp/lavinmq/pull/1670 - Issue Tracking, Patch
References	~~() https://github.com/cloudamqp/lavinmq/pull/1687 -~~	() https://github.com/cloudamqp/lavinmq/pull/1687 - Issue Tracking, Patch
References	~~() https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg -~~	() https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:84codes:lavinmq::::::::
Summary		(es) LavinMQ es un servidor de cola de mensajes y streaming de alto rendimiento. Antes de la versión 2.6.8, un usuario autenticado, con la etiqueta 'Policymaker', podía crear 'shovels' eludiendo los controles de acceso. Un usuario autenticado con la etiqueta de gestión 'Policymaker' podría explotarlo para leer mensajes de 'vhosts' a los que no está autorizado a acceder o publicar mensajes en 'vhosts' a los que no está autorizado a acceder. Esta vulnerabilidad está corregida en la versión 2.6.8.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
First Time		84codes 84codes lavinmq

12 Feb 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 20:16

Updated : 2026-02-20 18:35

NVD link : CVE-2026-25767

Mitre link : CVE-2026-25767

CVE.ORG link : CVE-2026-25767

JSON object : View

Products Affected

84codes

lavinmq

CWE

CWE-863

Incorrect Authorization

8.1 /10