CVE-2026-25767

Sažetak

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

Reference

https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a
https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82
https://github.com/cloudamqp/lavinmq/pull/1670
https://github.com/cloudamqp/lavinmq/pull/1687
https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg

CVSS

Base:	8.1
Impact:	5.2
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Zadnje važnije ažuriranje

20-02-2026 - 18:35

Objavljeno

12-02-2026 - 20:16