CVE-2026-25767 | THREATINT

Description

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

PUBLISHED Reserved 2026-02-05 | Published 2026-02-12 | Updated 2026-02-12 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 2.6.8

affected

References

github.com/...avinmq/security/advisories/GHSA-wh37-6vrr-r9wg

github.com/cloudamqp/lavinmq/pull/1670

github.com/cloudamqp/lavinmq/pull/1687

github.com/...ommit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a

github.com/...ommit/be03da31f3db1a2552f7094ff58e953ef50cdc82

cve.org (CVE-2026-25767)

nvd.nist.gov (CVE-2026-25767)

Download JSON