CVE 8.6 HIGH

LavinMQ has incomplete shovel configuration validation_CVE-2026-25767

February 12, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

AI Analysis

Incomplete shovel configuration validation allows authenticated users with the 'Policymaker' tag to bypass access controls and read or publish messages to unauthorized vhosts.

Basic Information

ID CVE-2026-25767

Source GitHub_M

Published Feb 12, 2026 at 19:49

Affected Product

Vendor cloudamqp

Product lavinmq

Version < 2.6.8

Affected Versions cloudamqp lavinmq < 2.6.8

CWE Classification

CWE-863

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor CloudAMQP

Product LavinMQ

Version < 2.6.8

References

{
    "lastseen": "",
    "description": "LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the \u201cPolicymaker\u201d tag, could create shovels bypassing access controls. an authenticated user with the \"Policymaker\" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.",
    "published": "2026-02-12T19:49:49.516Z",
    "modified": "2026-02-12T19:49:49.516Z",
    "type": "cve",
    "title": "LavinMQ has incomplete shovel configuration validation",
    "source": "GitHub_M",
    "references": "https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg\nhttps://github.com/cloudamqp/lavinmq/pull/1670\nhttps://github.com/cloudamqp/lavinmq/pull/1687\nhttps://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a\nhttps://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82",
    "id": "CVE-2026-25767",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "cloudamqp lavinmq < 2.6.8",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "lavinmq",
    "version": "< 2.6.8",
    "vendor": "cloudamqp",
    "ai_description": "Incomplete shovel configuration validation allows authenticated users with the 'Policymaker' tag to bypass access controls and read or publish messages to unauthorized vhosts.",
    "ai_severity": "High",
    "ai_vendor": "CloudAMQP",
    "ai_product": "LavinMQ",
    "ai_version": "< 2.6.8",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply