CVE-2026-25767
Published: 12 February 2026
Summary
CVE-2026-25767 is a high-severity Incorrect Authorization (CWE-863) vulnerability in 84Codes Lavinmq. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25767 is an access control bypass vulnerability (CWE-863) in LavinMQ, a high-performance message queue and streaming server. In versions prior to 2.6.8, an authenticated user with the "Policymaker" management tag can create shovels that circumvent intended access restrictions. The flaw enables unauthorized interactions with virtual hosts (vhosts), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An authenticated attacker possessing the "Policymaker" tag can exploit this vulnerability remotely with low privileges and no user interaction. Successful exploitation allows reading messages from vhosts the user is not authorized to access or publishing messages to unauthorized vhosts, potentially leading to data exfiltration or unauthorized message injection in multi-tenant environments.
The vulnerability is addressed in LavinMQ 2.6.8. Security practitioners should upgrade to this patched version immediately. Detailed fixes are documented in GitHub commits 3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a and be03da31f3db1a2552f7094ff58e953ef50cdc82, pull requests #1670 and #1687, and the security advisory at GHSA-wh37-6vrr-r9wg.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6692
Vulnerability details
LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts…
more
they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote authenticated access control bypass (CWE-863) in LavinMQ management interface directly enables exploitation of a public-facing application (T1190) to achieve unauthorized vhost access. This constitutes privilege escalation via abuse of authorization controls (T1068). Successful exploitation permits direct reading of messages from the message queue data store (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires the system to enforce approved access authorizations, directly preventing authenticated Policymaker users from bypassing vhost restrictions via unauthorized shovels.
Mandates identification, reporting, and timely correction of flaws like the access control bypass in LavinMQ versions prior to 2.6.8.
Employs least privilege to restrict Policymaker role capabilities, reducing the risk of exploiting excessive permissions for unauthorized vhost message access.