{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T14:16:13.526","vulnerabilities":[{"cve":{"id":"CVE-2026-25767","sourceIdentifier":"security-advisories@github.com","published":"2026-02-12T20:16:10.623","lastModified":"2026-02-20T18:35:38.183","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the \"Policymaker\" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8."},{"lang":"es","value":"LavinMQ es un servidor de cola de mensajes y streaming de alto rendimiento. Antes de la versión 2.6.8, un usuario autenticado, con la etiqueta 'Policymaker', podía crear 'shovels' eludiendo los controles de acceso. Un usuario autenticado con la etiqueta de gestión 'Policymaker' podría explotarlo para leer mensajes de 'vhosts' a los que no está autorizado a acceder o publicar mensajes en 'vhosts' a los que no está autorizado a acceder. Esta vulnerabilidad está corregida en la versión 2.6.8."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:84codes:lavinmq:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.8","matchCriteriaId":"D27D43CF-66DA-452C-A820-C7302EAB3558"}]}]}],"references":[{"url":"https://github.com/cloudamqp/lavinmq/commit/3a83e5894495b60c7c32a79c3dbc9bd9fa237d9a","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/cloudamqp/lavinmq/commit/be03da31f3db1a2552f7094ff58e953ef50cdc82","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/cloudamqp/lavinmq/pull/1670","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/cloudamqp/lavinmq/pull/1687","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/cloudamqp/lavinmq/security/advisories/GHSA-wh37-6vrr-r9wg","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}