8.6
CVE-2026-25767
- EPSS 0.25%
- Veröffentlicht 12.02.2026 19:49:49
- Zuletzt bearbeitet 20.02.2026 18:35:38
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginLavinMQ has incomplete shovel configuration validation
LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.161 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
| security-advisories@github.com | 8.6 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg
https://github.com/cloudamqp/lavinmq/pull/1670
https://github.com/cloudamqp/lavinmq/pull/1687
https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a
https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82