CVE-2026-25768
Unauthorized Metadata Access in LavinMQ Before
Publication date: 2026-02-12
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 84codes | lavinmq | to 2.6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25768 is a vulnerability in LavinMQ, a high-performance message queue and streaming server. Before version 2.6.6, an authenticated user could bypass proper access controls and access metadata in the broker that they should not have permission to view.
Specifically, the issue involves missing virtual host (vhost) access control in the Management API, allowing unauthorized access to queue, exchange, binding information, message statistics, and the ability to enumerate all vhosts and resources on the server.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user to gain unauthorized visibility into sensitive broker metadata.
- Read queue, exchange, and binding information from vhosts they should not access.
- View message statistics for unauthorized vhosts.
- Enumerate all virtual hosts configured on the server through brute force guessing.
- List all resources within any given vhost on the server.
These impacts could lead to information disclosure and potentially aid further attacks or unauthorized actions within the message broker environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to metadata via the Management API of LavinMQ. Detection can focus on monitoring and analyzing Management API access patterns.
Specifically, you can look for authenticated users accessing virtual hosts (vhosts) or metadata they should not have permission to view.
Since the vulnerability allows enumeration of all vhosts through brute force guessing, monitoring for repeated or unusual API requests to different vhost endpoints can indicate exploitation attempts.
Suggested commands or approaches include:
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP API traffic to the LavinMQ Management API port and analyze for suspicious access patterns.
- Check server logs for Management API requests that access multiple or unauthorized vhosts.
- Use curl or similar HTTP clients to manually test access control by attempting to access vhost metadata with different authenticated user credentials.
- Example curl command to test access (replace placeholders accordingly):
- curl -u <username>:<password> http://<lavinmq-server>:<port>/api/vhosts/<vhost-name>/queues
- If unauthorized access is possible, the response will include queue information for vhosts the user should not access.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in LavinMQ version 2.6.6. The primary mitigation step is to upgrade to version 2.6.6 or later.
Until the upgrade can be performed, it is recommended to restrict access to the Management API to trusted administrators only.
This can be done by network-level controls such as firewall rules or by configuring access control mechanisms to limit which users or IP addresses can reach the Management API.
Additionally, review and tighten user permissions to ensure that authenticated users only have access to the vhosts and metadata they are authorized to view.