Cyber Resilience

CVE-2026-25767

High

Published: 12 February 2026

Published
12 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25767 is a high-severity Incorrect Authorization (CWE-863) vulnerability in 84Codes Lavinmq. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25767 is an access control bypass vulnerability (CWE-863) in LavinMQ, a high-performance message queue and streaming server. In versions prior to 2.6.8, an authenticated user with the "Policymaker" management tag can create shovels that circumvent intended access restrictions. The flaw enables unauthorized interactions with virtual hosts (vhosts), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

An authenticated attacker possessing the "Policymaker" tag can exploit this vulnerability remotely with low privileges and no user interaction. Successful exploitation allows reading messages from vhosts the user is not authorized to access or publishing messages to unauthorized vhosts, potentially leading to data exfiltration or unauthorized message injection in multi-tenant environments.

The vulnerability is addressed in LavinMQ 2.6.8. Security practitioners should upgrade to this patched version immediately. Detailed fixes are documented in GitHub commits 3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a and be03da31f3db1a2552f7094ff58e953ef50cdc82, pull requests #1670 and #1687, and the security advisory at GHSA-wh37-6vrr-r9wg.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts…

more

they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Remote authenticated access control bypass (CWE-863) in LavinMQ management interface directly enables exploitation of a public-facing application (T1190) to achieve unauthorized vhost access. This constitutes privilege escalation via abuse of authorization controls (T1068). Successful exploitation permits direct reading of messages from the message queue data store (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44110Shared CWE-863
CVE-2026-44633Shared CWE-863
CVE-2026-22595Shared CWE-863
CVE-2026-32914Shared CWE-863
CVE-2026-28392Shared CWE-863
CVE-2026-32267Shared CWE-863
CVE-2025-55213Shared CWE-863
CVE-2026-44221Shared CWE-863
CVE-2025-24434Shared CWE-863
CVE-2026-22230Shared CWE-863

Affected Assets

84codes
lavinmq
≤ 2.6.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires the system to enforce approved access authorizations, directly preventing authenticated Policymaker users from bypassing vhost restrictions via unauthorized shovels.

prevent

Mandates identification, reporting, and timely correction of flaws like the access control bypass in LavinMQ versions prior to 2.6.8.

prevent

Employs least privilege to restrict Policymaker role capabilities, reducing the risk of exploiting excessive permissions for unauthorized vhost message access.

References