Overview
Broadcom disclosed CVE-2026-47866, an authorization bypass vulnerability in VMware Avi Load Balancer, on July 18, 2026. Assigned a CVSS score of 8.3 (High), this flaw allows a low-privileged authenticated attacker with network access to bypass authorization controls and access a limited subset of the Avi Control Plane without appropriate permissions.
While not as severe as the concurrent authentication bypass (CVE-2026-47865), this vulnerability is significant in a chained attack scenario and represents a meaningful access control failure within the product.
Technical Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-47866 |
| CVSS Score | 8.3 (High) |
| CVSS Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
| CWE | CWE-863 — Incorrect Authorization |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
The vulnerability is classified as CWE-863 (Incorrect Authorization), meaning the application fails to enforce proper authorization checks when granting access to protected resources. Unlike the companion CVE-2026-47865 (which requires no credentials), this flaw requires a low-privilege authenticated session to exploit—but the required privilege level is minimal and may be obtainable through other means, including the authentication bypass.
The impact profile includes high confidentiality and high integrity impact, with low availability impact, indicating an attacker could read sensitive configuration data and make unauthorized modifications within the accessible scope.
Affected Versions
| Version Range | Status | Patched Version |
|---|---|---|
| 22.1.1 – 22.1.7 | Vulnerable | Upgrade to 30.2.7 |
| 30.1.1 – 30.2.6 | Vulnerable | Upgrade to 30.2.7 |
| 31.1.1 – 31.2.2 | Vulnerable | Upgrade to 31.2.2-2p3 |
| 32.1.1 | Vulnerable | Upgrade to 32.1.2 |
Role in the Vulnerability Chain
CVE-2026-47866 is the least severe of the four VMware Avi Load Balancer vulnerabilities disclosed on July 18, 2026, but it plays an important role in attack escalation:
| Step | CVE | What It Enables |
|---|---|---|
| 1 | CVE-2026-47865 (CVSS 9.8) | Unauthenticated access to Control Plane |
| 2 | CVE-2026-47866 (CVSS 8.3) | Escalate from low-priv to unauthorized resource access |
| 3 | CVE-2026-47867 or CVE-2026-47869 (CVSS 8.7) | Execute arbitrary code on Control Plane |
An attacker who gains initial foothold via the auth bypass can use this authorization bypass to expand their access before leveraging one of the two RCE flaws, making this CVE a meaningful link in a full compromise chain.
Risk Assessment
In isolation, CVE-2026-47866 requires a low-privilege authenticated account. However, organizations should not use this as a reason to deprioritize patching:
- The companion authentication bypass (CVE-2026-47865) can be chained to obtain that initial foothold without credentials
- The "limited subset" of accessible Control Plane resources may include sensitive configuration data or credentials that enable further escalation
- The high integrity impact means unauthorized modifications to routing or policy configurations are possible
In environments with strict internal authentication controls but unpatched systems, this flaw could also be exploited by malicious insiders with minimal access.
Remediation
Broadcom has released patches across all affected version branches. No workarounds are documented.
Upgrade path:
- If running 22.1.x or 30.1.x–30.2.6: upgrade to 30.2.7
- If running 31.1.x–31.2.2: upgrade to 31.2.2-2p3
- If running 32.1.1: upgrade to 32.1.2
Apply the full patch bundle that addresses all four CVEs simultaneously.
Recommendations
- Apply all four patches as a bundle: CVE-2026-47866 is patched by the same update that addresses the RCE and auth bypass vulnerabilities. Apply them together.
- Audit low-privilege accounts: Review which users have low-level authenticated access to the Control Plane. Reduce the attack surface by removing unnecessary accounts.
- Monitor for anomalous access: Look for low-privilege user accounts accessing resources outside their expected scope in Control Plane audit logs.
- Network segmentation: Even after patching, restricting Control Plane network access to management networks is a defense-in-depth best practice.
References
- NVD Entry — CVE-2026-47866
- NVD Entry — CVE-2026-47865 (critical auth bypass)
- NVD Entry — CVE-2026-47867 (companion RCE)
- NVD Entry — CVE-2026-47869 (companion RCE)
- Broadcom Support Portal Advisory (authentication required)