CVE-2026-25767

8.1 HIGH
Published: February 12, 2026 Modified: February 20, 2026
View on NVD

Description

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the โ€œPolicymakerโ€ tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a
Source: security-advisories@github.com
Patch
https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82
Source: security-advisories@github.com
Patch
https://github.com/cloudamqp/lavinmq/pull/1670
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/cloudamqp/lavinmq/pull/1687
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg
Source: security-advisories@github.com
Mitigation Vendor Advisory

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
0.0%
10th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-863

Affected Vendors

84codes

Related CVEs

CVE-2026-4538 5.3
CVE-2026-4537 4.7
CVE-2026-4536 7.3
CVE-2026-4535 8.8
CVE-2026-4534 8.8