Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1961+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-47866: Authorization Bypass in VMware Avi Load Balancer
CVE-2026-47866: Authorization Bypass in VMware Avi Load Balancer
SECURITYHIGHCVE-2026-47866

CVE-2026-47866: Authorization Bypass in VMware Avi Load Balancer

A CVSS 8.3 authorization bypass vulnerability in VMware Avi Load Balancer allows low-privileged authenticated users to access restricted Control Plane resources without proper authorization. Patch to 30.2.7, 31.2.2-2p3, or 32.1.2.

Dylan H.

Security Team

July 18, 2026
4 min read

Affected Products

  • VMware Avi Load Balancer 22.1.1–22.1.7, 30.1.1–30.2.6, 31.1.1–31.2.2, 32.1.1

Overview

Broadcom disclosed CVE-2026-47866, an authorization bypass vulnerability in VMware Avi Load Balancer, on July 18, 2026. Assigned a CVSS score of 8.3 (High), this flaw allows a low-privileged authenticated attacker with network access to bypass authorization controls and access a limited subset of the Avi Control Plane without appropriate permissions.

While not as severe as the concurrent authentication bypass (CVE-2026-47865), this vulnerability is significant in a chained attack scenario and represents a meaningful access control failure within the product.

Technical Details

AttributeValue
CVE IDCVE-2026-47866
CVSS Score8.3 (High)
CVSS VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWECWE-863 — Incorrect Authorization
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

The vulnerability is classified as CWE-863 (Incorrect Authorization), meaning the application fails to enforce proper authorization checks when granting access to protected resources. Unlike the companion CVE-2026-47865 (which requires no credentials), this flaw requires a low-privilege authenticated session to exploit—but the required privilege level is minimal and may be obtainable through other means, including the authentication bypass.

The impact profile includes high confidentiality and high integrity impact, with low availability impact, indicating an attacker could read sensitive configuration data and make unauthorized modifications within the accessible scope.

Affected Versions

Version RangeStatusPatched Version
22.1.1 – 22.1.7VulnerableUpgrade to 30.2.7
30.1.1 – 30.2.6VulnerableUpgrade to 30.2.7
31.1.1 – 31.2.2VulnerableUpgrade to 31.2.2-2p3
32.1.1VulnerableUpgrade to 32.1.2

Role in the Vulnerability Chain

CVE-2026-47866 is the least severe of the four VMware Avi Load Balancer vulnerabilities disclosed on July 18, 2026, but it plays an important role in attack escalation:

StepCVEWhat It Enables
1CVE-2026-47865 (CVSS 9.8)Unauthenticated access to Control Plane
2CVE-2026-47866 (CVSS 8.3)Escalate from low-priv to unauthorized resource access
3CVE-2026-47867 or CVE-2026-47869 (CVSS 8.7)Execute arbitrary code on Control Plane

An attacker who gains initial foothold via the auth bypass can use this authorization bypass to expand their access before leveraging one of the two RCE flaws, making this CVE a meaningful link in a full compromise chain.

Risk Assessment

In isolation, CVE-2026-47866 requires a low-privilege authenticated account. However, organizations should not use this as a reason to deprioritize patching:

  • The companion authentication bypass (CVE-2026-47865) can be chained to obtain that initial foothold without credentials
  • The "limited subset" of accessible Control Plane resources may include sensitive configuration data or credentials that enable further escalation
  • The high integrity impact means unauthorized modifications to routing or policy configurations are possible

In environments with strict internal authentication controls but unpatched systems, this flaw could also be exploited by malicious insiders with minimal access.

Remediation

Broadcom has released patches across all affected version branches. No workarounds are documented.

Upgrade path:

  • If running 22.1.x or 30.1.x–30.2.6: upgrade to 30.2.7
  • If running 31.1.x–31.2.2: upgrade to 31.2.2-2p3
  • If running 32.1.1: upgrade to 32.1.2

Apply the full patch bundle that addresses all four CVEs simultaneously.

Recommendations

  1. Apply all four patches as a bundle: CVE-2026-47866 is patched by the same update that addresses the RCE and auth bypass vulnerabilities. Apply them together.
  2. Audit low-privilege accounts: Review which users have low-level authenticated access to the Control Plane. Reduce the attack surface by removing unnecessary accounts.
  3. Monitor for anomalous access: Look for low-privilege user accounts accessing resources outside their expected scope in Control Plane audit logs.
  4. Network segmentation: Even after patching, restricting Control Plane network access to management networks is a defense-in-depth best practice.

References

  • NVD Entry — CVE-2026-47866
  • NVD Entry — CVE-2026-47865 (critical auth bypass)
  • NVD Entry — CVE-2026-47867 (companion RCE)
  • NVD Entry — CVE-2026-47869 (companion RCE)
  • Broadcom Support Portal Advisory (authentication required)
#VMware#Avi Load Balancer#Authorization Bypass#Privilege Escalation#Broadcom#CVE

Related Articles

CVE-2026-47865: Critical Authentication Bypass in VMware Avi Load Balancer

A CVSS 9.8 authentication bypass vulnerability allows unauthenticated remote attackers to gain full access to the VMware Avi Load Balancer Control Plane. Broadcom has released patches across all affected version branches.

3 min read

CVE-2026-47867: Remote Code Execution via Code Injection in VMware Avi Load Balancer

A CVSS 8.7 code injection vulnerability in VMware Avi Load Balancer enables high-privileged authenticated attackers to execute arbitrary code on the Control Plane, with scope change impact extending beyond the vulnerable component.

3 min read

CVE-2026-47869: Second RCE Code Injection Path in VMware Avi Load Balancer

Broadcom discloses a second CVSS 8.7 code injection vulnerability in VMware Avi Load Balancer. CVE-2026-47869 shares the same vector and impact as CVE-2026-47867, indicating a distinct injection point within the same component requiring the same patches.

4 min read
Back to all Security Alerts