Magnushoerberg

**Name of the Vulnerable Software and Affected Versions** LavinMQ versions prior to 2.6.8 **Description** LavinMQ is a high-performance message queue and streaming server. An authenticated user with the “Policymaker” tag could create shovels bypassing access controls. Specifically, an authenticated user with the "Policymaker" management tag could read messages from virtual hosts (vhosts) they are not authorized to access or publish messages to vhosts they are not authorized to access. This occurs due to improper access control checks during shovel creation. **Recommendations** Update LavinMQ to version 2.6.8 or later.