CVE-2026-25767
Awaiting Analysis Awaiting Analysis - Queue
Access Control Bypass in LavinMQ Allows Unauthorized Message Access

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25767
EUVD
EUVD-2026-6692
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
84codes lavinmq to 2.6.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25767 is a vulnerability in LavinMQ, a high-performance message queue and streaming server. Before version 2.6.8, an authenticated user with the "Policymaker" management tag could bypass access controls when creating shovels. This allowed such users to read messages from virtual hosts (vhosts) they were not authorized to access or publish messages to unauthorized vhosts by exploiting insufficient permission checks in shovel configuration and definitions API endpoints.'}, {'type': 'paragraph', 'content': 'The root cause was incomplete validation of shovel configurations and overly permissive access to definitions-related API endpoints, which allowed users with Policymaker or Management roles to perform actions reserved for administrators.'}, {'type': 'paragraph', 'content': 'The vulnerability is fixed in LavinMQ version 2.6.8 by enforcing strict administrator-only access to all definitions API endpoints and enhancing shovel configuration validation to ensure proper permission checks on source and destination resources.'}] [1, 2, 3, 4, 5]

Impact Analysis

This vulnerability can have serious security impacts by allowing an authenticated user with the Policymaker tag to bypass access controls and access or modify data in unauthorized virtual hosts.

  • Read messages from vhosts they are not authorized to access.
  • Publish messages to vhosts they are not authorized to access.
  • Potentially modify critical system configurations via definitions API endpoints if they have Management or Policymaker roles.

Such unauthorized access and modification can lead to data leakage, message tampering, and compromise of system integrity.

The vulnerability requires authenticated access with specific management tags, so it does not allow unauthenticated exploitation, but it elevates privileges of certain users beyond intended limits.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring and restricting access to the LavinMQ definitions API and shovel configuration endpoints. Since the vulnerability allows authenticated users with the Policymaker tag to create shovels bypassing access controls, commands or checks should focus on identifying unauthorized API calls or shovel configurations.'}, {'type': 'paragraph', 'content': 'Specifically, you can monitor HTTP API requests to the following endpoints for suspicious activity or unauthorized access attempts:'}, {'type': 'list_item', 'content': 'GET, POST, and POST upload requests to /api/definitions and /api/definitions/:vhost'}, {'type': 'list_item', 'content': 'PUT requests to /api/parameters/shovel/* endpoints'}, {'type': 'paragraph', 'content': 'Commands to detect such activity might include inspecting web server or proxy logs for these API calls, for example using grep or similar tools:'}, {'type': 'list_item', 'content': 'grep "/api/definitions" /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'grep "/api/parameters/shovel/" /var/log/nginx/access.log'}, {'type': 'paragraph', 'content': 'Additionally, reviewing LavinMQ user roles and permissions to identify users with the Policymaker tag or Management API access can help detect potential misuse.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated access, monitoring authentication logs for unusual or unauthorized user activity related to these roles is also recommended.'}] [3]

Mitigation Strategies

Immediate mitigation steps for CVE-2026-25767 include restricting access to the LavinMQ Management API and definitions endpoints to trusted administrators only.

  • Upgrade LavinMQ to version 2.6.8 or later, where the vulnerability is fixed by enforcing administrator-only access to all definitions API endpoints.
  • If upgrading immediately is not possible, restrict Management API access to trusted administrators by limiting user roles and permissions.
  • Block POST requests to /api/definitions/* and PUT requests to /api/parameters/shovel/* endpoints using a Web Application Firewall (WAF) or reverse proxy to prevent unauthorized shovel creation or definitions modification.
  • Review and minimize the number of users assigned management tags such as Administrator, Monitoring, Policymaker, and Management to reduce the attack surface.

These steps help prevent unauthorized users with Policymaker or Management roles from exploiting the vulnerability to read or publish messages to unauthorized virtual hosts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart