CVE-2026-25767

HIGH EPSS 16.3%
Published Feb 12, 20264mo ago · Modified Feb 20, 20264mo ago
8.6 CVSS 4.0
High
Find Similar
Published Feb 12, 2026 4mo ago
Last Modified Feb 20, 2026 4mo ago

Description

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
16.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 1

VendorProductVersionRange
84codeslavinmq* <2.6.8

References 5

  • github.com https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a
    Patch
  • github.com https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82
    Patch
  • github.com https://github.com/cloudamqp/lavinmq/pull/1670
    Issue TrackingPatch
  • github.com https://github.com/cloudamqp/lavinmq/pull/1687
    Issue TrackingPatch
  • github.com https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a
    Patch
  • github.com https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82
    Patch
  • github.com https://github.com/cloudamqp/lavinmq/pull/1670
    Issue TrackingPatch
  • github.com https://github.com/cloudamqp/lavinmq/pull/1687
    Issue TrackingPatch