CVE-2026-25767 – In LavinMQ versions before 2.6.8, authenticated... (How to Fix)

Q: What is the severity of CVE-2026-25767?

CVE-2026-25767 has a CVSS score of 8.1 (HIGH). In LavinMQ versions before 2.6.8, authenticated users with the 'Policymaker' management tag can bypass access controls to create shovels, allowing them to read messages from or publish messages to virtual hosts they are not authorized to access. This affects any LavinMQ deployment with authenticated users who have the Policymaker tag.

📋 TL;DR

In LavinMQ versions before 2.6.8, authenticated users with the 'Policymaker' management tag can bypass access controls to create shovels, allowing them to read messages from or publish messages to virtual hosts they are not authorized to access. This affects any LavinMQ deployment with authenticated users who have the Policymaker tag.

💻 Affected Systems

Products:

LavinMQ

Versions: All versions before 2.6.8

Operating Systems: All platforms running LavinMQ

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with authenticated users who have been granted the 'Policymaker' management tag. Anonymous/unauthenticated users are not affected.

📦 What is this software?

Lavinmq by 84codes

View all CVEs affecting Lavinmq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious insider with Policymaker privileges could exfiltrate sensitive message data from unauthorized vhosts or inject malicious messages into critical queues, potentially leading to data breaches or system compromise.

🟠

Likely Case

Accidental or intentional misuse by authorized users to access message queues they shouldn't have access to, violating data segregation policies and potentially exposing sensitive information.

🟢

If Mitigated

Limited impact if strict access controls are already in place and Policymaker users are trusted, but still violates the principle of least privilege.

🌐 Internet-Facing: MEDIUM - If LavinMQ is exposed to the internet with authenticated users, attackers could exploit this after obtaining valid credentials with Policymaker privileges.

🏢 Internal Only: MEDIUM - Insider threats or compromised internal accounts with Policymaker privileges could exploit this vulnerability to bypass intended access controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with Policymaker privileges. Exploitation involves creating shovels with misconfigured access controls to bypass vhost restrictions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.8

Vendor Advisory: https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg

Restart Required: No

Instructions:

1. Backup your LavinMQ configuration and data. 2. Stop LavinMQ service. 3. Upgrade to version 2.6.8 or later using your package manager or from source. 4. Start LavinMQ service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Remove or Restrict Policymaker Users

all

Temporarily remove the Policymaker tag from users who don't absolutely need it, or restrict their access to only necessary vhosts.

lavinmqctl set_user_tags <username> <new_tags>
lavinmqctl clear_permissions -p <vhost> <username>
lavinmqctl set_permissions -p <vhost> <username> <configure> <write> <read>

Disable Shovel Creation

all

Implement policy to prevent creation of new shovels by Policymaker users until patched.

Monitor and audit shovel creation via logs
Implement external controls to block shovel API calls

🧯 If You Can't Patch

Implement strict network segmentation to limit access to LavinMQ management interfaces
Enhance monitoring and alerting for unauthorized shovel creation attempts and unusual message flow patterns

🔍 How to Verify

Check if Vulnerable:

Check LavinMQ version: if version is less than 2.6.8 and you have users with Policymaker tag, you are vulnerable.

Check Version:

lavinmqctl status | grep 'LavinMQ' or check server startup logs

Verify Fix Applied:

After upgrading, verify version is 2.6.8 or higher and test that Policymaker users cannot create shovels that bypass vhost access controls.

📡 Detection & Monitoring

Log Indicators:

Unauthorized shovel creation attempts
Shovel configurations referencing vhosts the user shouldn't access
Unexpected message flow between vhosts

Network Indicators:

Unusual API calls to shovel management endpoints from Policymaker users
Unexpected message traffic patterns

SIEM Query:

source="lavinmq.log" AND ("shovel" AND "created" OR "configured") AND user.tag="Policymaker"

📊 Metadata

CVE ID: CVE-2026-25767

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

EPSS Score: 0.04% exploit probability (12.3th percentile)

Published: February 12, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a Patch
https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82 Patch
https://github.com/cloudamqp/lavinmq/pull/1670 Issue Tracking,Patch
https://github.com/cloudamqp/lavinmq/pull/1687 Issue Tracking,Patch
https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25767, you might also want to check these: