Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-25767
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-12 Feb, 2026 | 19:49
Updated At-12 Feb, 2026 | 20:52
Rejected At-
▼CVE Numbering Authority (CNA)
LavinMQ has incomplete shovel configuration validation

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

Affected Products
Vendor
cloudamqp
Product
lavinmq
Versions
Affected
  • < 2.6.8
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.08.6HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg
x_refsource_CONFIRM
https://github.com/cloudamqp/lavinmq/pull/1670
x_refsource_MISC
https://github.com/cloudamqp/lavinmq/pull/1687
x_refsource_MISC
https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a
x_refsource_MISC
https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82
x_refsource_MISC
Hyperlink: https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/cloudamqp/lavinmq/pull/1670
Resource:
x_refsource_MISC
Hyperlink: https://github.com/cloudamqp/lavinmq/pull/1687
Resource:
x_refsource_MISC
Hyperlink: https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a
Resource:
x_refsource_MISC
Hyperlink: https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found