Unrated severityNVD Advisory· Published Feb 12, 2026· Updated Feb 12, 2026

LavinMQ has incomplete shovel configuration validation

CVE-2026-25767

Description

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8.

Affected products

LavinMQ/LavinMQllm-create
Range: <2.6.8
cloudamqp/lavinmqv5
Range: < 2.6.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9amitrex_refsource_MISC
github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82mitrex_refsource_MISC
github.com/cloudamqp/lavinmq/pull/1670mitrex_refsource_MISC
github.com/cloudamqp/lavinmq/pull/1687mitrex_refsource_MISC
github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wgmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000