Description

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

INFO

Published Date :

2026-02-12T19:49:49.516Z

Last Modified :

2026-02-12T20:52:24.629Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25767 vulnerability.

Vendors Products
84codes
  • Lavinmq
Cloudamqp
  • Lavinmq
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25767.

URL Resource
https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a cve-icon cve-icon
https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82 cve-icon cve-icon
https://github.com/cloudamqp/lavinmq/pull/1670 cve-icon cve-icon
https://github.com/cloudamqp/lavinmq/pull/1687 cve-icon cve-icon
https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact