CVE-2026-25767
Access Control Bypass in LavinMQ Allows Unauthorized Message Access
Publication date: 2026-02-12
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 84codes | lavinmq | to 2.6.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25767 is a vulnerability in LavinMQ, a high-performance message queue and streaming server. Before version 2.6.8, an authenticated user with the "Policymaker" management tag could bypass access controls when creating shovels. This allowed such users to read messages from virtual hosts (vhosts) they were not authorized to access or publish messages to unauthorized vhosts by exploiting insufficient permission checks in shovel configuration and definitions API endpoints.'}, {'type': 'paragraph', 'content': 'The root cause was incomplete validation of shovel configurations and overly permissive access to definitions-related API endpoints, which allowed users with Policymaker or Management roles to perform actions reserved for administrators.'}, {'type': 'paragraph', 'content': 'The vulnerability is fixed in LavinMQ version 2.6.8 by enforcing strict administrator-only access to all definitions API endpoints and enhancing shovel configuration validation to ensure proper permission checks on source and destination resources.'}] [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can have serious security impacts by allowing an authenticated user with the Policymaker tag to bypass access controls and access or modify data in unauthorized virtual hosts.
- Read messages from vhosts they are not authorized to access.
- Publish messages to vhosts they are not authorized to access.
- Potentially modify critical system configurations via definitions API endpoints if they have Management or Policymaker roles.
Such unauthorized access and modification can lead to data leakage, message tampering, and compromise of system integrity.
The vulnerability requires authenticated access with specific management tags, so it does not allow unauthenticated exploitation, but it elevates privileges of certain users beyond intended limits.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring and restricting access to the LavinMQ definitions API and shovel configuration endpoints. Since the vulnerability allows authenticated users with the Policymaker tag to create shovels bypassing access controls, commands or checks should focus on identifying unauthorized API calls or shovel configurations.'}, {'type': 'paragraph', 'content': 'Specifically, you can monitor HTTP API requests to the following endpoints for suspicious activity or unauthorized access attempts:'}, {'type': 'list_item', 'content': 'GET, POST, and POST upload requests to /api/definitions and /api/definitions/:vhost'}, {'type': 'list_item', 'content': 'PUT requests to /api/parameters/shovel/* endpoints'}, {'type': 'paragraph', 'content': 'Commands to detect such activity might include inspecting web server or proxy logs for these API calls, for example using grep or similar tools:'}, {'type': 'list_item', 'content': 'grep "/api/definitions" /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'grep "/api/parameters/shovel/" /var/log/nginx/access.log'}, {'type': 'paragraph', 'content': 'Additionally, reviewing LavinMQ user roles and permissions to identify users with the Policymaker tag or Management API access can help detect potential misuse.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated access, monitoring authentication logs for unusual or unauthorized user activity related to these roles is also recommended.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-25767 include restricting access to the LavinMQ Management API and definitions endpoints to trusted administrators only.
- Upgrade LavinMQ to version 2.6.8 or later, where the vulnerability is fixed by enforcing administrator-only access to all definitions API endpoints.
- If upgrading immediately is not possible, restrict Management API access to trusted administrators by limiting user roles and permissions.
- Block POST requests to /api/definitions/* and PUT requests to /api/parameters/shovel/* endpoints using a Web Application Firewall (WAF) or reverse proxy to prevent unauthorized shovel creation or definitions modification.
- Review and minimize the number of users assigned management tags such as Administrator, Monitoring, Policymaker, and Management to reduce the attack surface.
These steps help prevent unauthorized users with Policymaker or Management roles from exploiting the vulnerability to read or publish messages to unauthorized virtual hosts.