Overview
Broadcom disclosed a critical authentication bypass vulnerability in VMware Avi Load Balancer on July 18, 2026. Tracked as CVE-2026-47865 with a CVSS score of 9.8 (Critical), the flaw allows any malicious user with network access to completely circumvent authentication and gain unrestricted access to the Avi Control Plane—with no credentials required.
This is the most severe of four vulnerabilities disclosed simultaneously in the same product. Successful exploitation grants an attacker full confidentiality, integrity, and availability impact over the Control Plane.
Technical Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-47865 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-287 — Improper Authentication |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
The vulnerability is classified as CWE-287 (Improper Authentication), meaning the application fails to properly verify the identity of users before granting access to protected functionality. An unauthenticated attacker on the same network segment—or reachable via a publicly exposed Control Plane interface—can exploit this flaw without any prior knowledge of credentials or system state.
Affected Versions
| Version Range | Status | Patched Version |
|---|---|---|
| 22.1.1 – 22.1.7 | Vulnerable | Upgrade to 30.2.7 |
| 30.1.1 – 30.2.6 | Vulnerable | Upgrade to 30.2.7 |
| 31.1.1 – 31.2.2 | Vulnerable | Upgrade to 31.2.2-2p3 |
Version 32.1.x is not affected by this specific CVE.
Risk Assessment
The combination of no authentication requirement, low attack complexity, and full CIA impact makes CVE-2026-47865 a top-priority remediation target. The VMware Avi Load Balancer Control Plane is the administrative hub for managing application delivery infrastructure—gaining access to it allows an attacker to:
- Reconfigure load balancing rules and routing policies
- Intercept or redirect application traffic
- Pivot to backend application servers
- Leverage companion RCE vulnerabilities (CVE-2026-47867, CVE-2026-47869) for code execution
In environments where the Control Plane is network-accessible (even internally), this flaw represents an immediate lateral movement and privilege escalation risk.
Remediation
Broadcom has released patches addressing this vulnerability. There are no documented workarounds—upgrading is the only remediation.
Upgrade path:
- If running 22.1.x or 30.1.x–30.2.6: upgrade to 30.2.7
- If running 31.1.x–31.2.2: upgrade to 31.2.2-2p3
The full advisory is available via the Broadcom Support Portal (authentication required). Organizations running older, end-of-life 22.1.x branches should treat the required jump to 30.2.7 as an urgent upgrade rather than a patch.
Recommendations
- Audit exposure immediately: Determine whether your Avi Control Plane is accessible from untrusted network segments or the internet. If so, restrict access with firewall rules while patching.
- Prioritize this patch: With a CVSS of 9.8 and no privileges required, this should be treated as a P0 remediation item.
- Apply all four patches together: This CVE was disclosed alongside three other vulnerabilities (CVE-2026-47866, CVE-2026-47867, CVE-2026-47869) in the same product. Apply the full patch bundle rather than cherry-picking.
- Review access logs: If patching is delayed, review Control Plane authentication logs for anomalous or unauthenticated access attempts.
References
- NVD Entry — CVE-2026-47865
- Broadcom Support Portal Advisory (authentication required)