Login Sign Up

CVE-2026-25768

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2026-25768 is an authorization bypass vulnerability in LavinMQ message queue server where authenticated users can access broker metadata they shouldn't have permission to view. This affects all LavinMQ deployments with versions before 2.6.6. The vulnerability requires authenticated access but could expose sensitive configuration or operational data.

💻 Affected Systems

Products:
  • LavinMQ
Versions: All versions before 2.6.6
Operating Systems: All platforms running LavinMQ
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access; affects all deployments with versions before the fix.

📦 What is this software?

Lavinmq by 84codes

View all CVEs affecting Lavinmq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could access sensitive broker metadata including configuration details, queue statistics, or connection information that could facilitate further attacks or data exfiltration.

🟠

Likely Case

Authorized users exceeding their intended permissions to view metadata about queues, exchanges, or connections they shouldn't have access to, potentially exposing operational data.

🟢

If Mitigated

Limited exposure of non-critical metadata with proper network segmentation and minimal user permissions.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to the LavinMQ management interface or API.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.6

Vendor Advisory: https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-r2mh-8vq6-qf7m

Restart Required: No

Instructions:

1. Backup your current configuration and data. 2. Stop LavinMQ service. 3. Update to version 2.6.6 or later using your package manager or by downloading from GitHub releases. 4. Start LavinMQ service. 5. Verify the version is 2.6.6 or higher.

🔧 Temporary Workarounds

Restrict User Permissions

all

Minimize user permissions to only what's absolutely necessary for their role

Network Segmentation

all

Restrict access to LavinMQ management interface to trusted networks only

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the LavinMQ management interface
  • Audit and minimize user accounts with access to LavinMQ, ensuring least privilege principles

🔍 How to Verify

Check if Vulnerable:

Check if LavinMQ version is below 2.6.6 using the version check command

Check Version:

lavinmqctl status | grep version

Verify Fix Applied:

Confirm version is 2.6.6 or higher and test that authenticated users cannot access unauthorized metadata

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized metadata access attempts in LavinMQ logs
  • Unusual patterns of metadata queries from authenticated users

Network Indicators:

  • Unusual volume of metadata requests to LavinMQ management API

SIEM Query:

source="lavinmq.log" AND ("metadata" OR "unauthorized" OR "permission denied")

📊 Metadata

CVE ID: CVE-2026-25768
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-862
EPSS Score: 0.04% exploit probability (10.5th percentile)
Published: February 12, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25768, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)