PT-2026-7896 · Lavinmq · Lavinmq

Magnushoerberg

·

Publicado

2026-02-12

·

Atualizado

2026-02-13

·

CVE-2026-25767

CVSS v4.0

8.6

Alta

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions LavinMQ versions prior to 2.6.8
Description LavinMQ is a high-performance message queue and streaming server. An authenticated user with the “Policymaker” tag could create shovels bypassing access controls. Specifically, an authenticated user with the "Policymaker" management tag could read messages from virtual hosts (vhosts) they are not authorized to access or publish messages to vhosts they are not authorized to access. This occurs due to improper access control checks during shovel creation.
Recommendations Update LavinMQ to version 2.6.8 or later.

Exploit

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

CVE-2026-25767
GHSA-WH37-6VRR-R9WG

Produtos afetados

Lavinmq