PT-2026-7896 · Lavinmq · Lavinmq
Magnushoerberg
·
Published
2026-02-12
·
Updated
2026-02-13
·
CVE-2026-25767
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
LavinMQ versions prior to 2.6.8
Description
LavinMQ is a high-performance message queue and streaming server. An authenticated user with the “Policymaker” tag could create shovels bypassing access controls. Specifically, an authenticated user with the "Policymaker" management tag could read messages from virtual hosts (vhosts) they are not authorized to access or publish messages to vhosts they are not authorized to access. This occurs due to improper access control checks during shovel creation.
Recommendations
Update LavinMQ to version 2.6.8 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lavinmq