Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1961+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-47867: Remote Code Execution via Code Injection in VMware Avi Load Balancer
CVE-2026-47867: Remote Code Execution via Code Injection in VMware Avi Load Balancer
SECURITYHIGHCVE-2026-47867

CVE-2026-47867: Remote Code Execution via Code Injection in VMware Avi Load Balancer

A CVSS 8.7 code injection vulnerability in VMware Avi Load Balancer enables high-privileged authenticated attackers to execute arbitrary code on the Control Plane, with scope change impact extending beyond the vulnerable component.

Dylan H.

Security Team

July 18, 2026
3 min read

Affected Products

  • VMware Avi Load Balancer 22.1.1–22.1.7, 30.1.1–30.2.6, 31.1.1–31.2.2, 32.1.1

Overview

Broadcom disclosed a high-severity remote code execution vulnerability in VMware Avi Load Balancer on July 18, 2026. Tracked as CVE-2026-47867 with a CVSS score of 8.7 (High), this code injection flaw allows a malicious authenticated user with network access to execute arbitrary code on the Avi Control Plane.

A notable aspect of this vulnerability is its Changed scope rating: successful exploitation can impact resources beyond the Avi Control Plane itself, such as adjacent systems or hypervisor-layer components.

Technical Details

AttributeValue
CVE IDCVE-2026-47867
CVSS Score8.7 (High)
CVSS VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWECWE-94 — Improper Control of Code Generation (Code Injection)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredHigh
User InteractionNone
ScopeChanged

The vulnerability is classified as CWE-94 (Code Injection), indicating that user-controlled input is passed to a code execution context without adequate sanitization or restriction. The Changed scope (S:C) designation means that successful exploitation can affect a security scope beyond the vulnerable component—a particularly significant concern in multi-tenant or virtualized environments.

Despite requiring high privileges, this CVE is dangerous in combination with the simultaneously disclosed authentication bypass (CVE-2026-47865), which would allow an unauthenticated attacker to first gain access and then leverage this flaw for code execution.

Affected Versions

Version RangeStatusPatched Version
22.1.1 – 22.1.7VulnerableUpgrade to 30.2.7
30.1.1 – 30.2.6VulnerableUpgrade to 30.2.7
31.1.1 – 31.2.2VulnerableUpgrade to 31.2.2-2p3
32.1.1VulnerableUpgrade to 32.1.2

Note that 32.1.1 is affected by this RCE but not by CVE-2026-47865 (the authentication bypass), so the attack chain requires credentials in that version.

Risk Assessment

While CVE-2026-47867 requires high privileges in isolation, it must be assessed in the context of the four vulnerabilities disclosed simultaneously:

Attack chain scenario:

  1. Exploit CVE-2026-47865 (auth bypass, no credentials required) to gain Control Plane access
  2. Leverage CVE-2026-47866 (authorization bypass) to escalate effective permissions
  3. Use CVE-2026-47867 or CVE-2026-47869 (code injection RCE) to execute arbitrary code on the Control Plane

This chained scenario reduces the effective barrier for RCE to zero credentials required in versions prior to 32.1.x.

The Changed scope flag also means successful RCE could impact the underlying infrastructure beyond the Avi appliance itself.

Remediation

Broadcom has released patches for all affected version branches. No workarounds have been documented.

Upgrade path:

  • If running 22.1.x or 30.1.x–30.2.6: upgrade to 30.2.7
  • If running 31.1.x–31.2.2: upgrade to 31.2.2-2p3
  • If running 32.1.1: upgrade to 32.1.2

Recommendations

  1. Patch in conjunction with all four CVEs: This RCE flaw was disclosed alongside CVE-2026-47865, CVE-2026-47866, and CVE-2026-47869. Apply the full update bundle.
  2. Assess chain risk: Even if your environment limits high-privileged users, the authentication bypass (CVE-2026-47865) nullifies that control. Treat this as a zero-auth RCE in affected pre-32.1.x versions.
  3. Review Control Plane network exposure: Restrict Control Plane access to trusted management networks while patching is scheduled.
  4. Check for companion CVE-2026-47869: Both CVEs are CWE-94 code injection flaws with identical CVSS vectors, likely representing two distinct injection points. Both need to be patched.

References

  • NVD Entry — CVE-2026-47867
  • NVD Entry — CVE-2026-47865 (related auth bypass)
  • Broadcom Support Portal Advisory (authentication required)
#VMware#Avi Load Balancer#Remote Code Execution#Code Injection#Broadcom#CVE

Related Articles

CVE-2026-47869: Second RCE Code Injection Path in VMware Avi Load Balancer

Broadcom discloses a second CVSS 8.7 code injection vulnerability in VMware Avi Load Balancer. CVE-2026-47869 shares the same vector and impact as CVE-2026-47867, indicating a distinct injection point within the same component requiring the same patches.

4 min read

CVE-2026-47865: Critical Authentication Bypass in VMware Avi Load Balancer

A CVSS 9.8 authentication bypass vulnerability allows unauthenticated remote attackers to gain full access to the VMware Avi Load Balancer Control Plane. Broadcom has released patches across all affected version branches.

3 min read

CVE-2026-47866: Authorization Bypass in VMware Avi Load Balancer

A CVSS 8.3 authorization bypass vulnerability in VMware Avi Load Balancer allows low-privileged authenticated users to access restricted Control Plane resources without proper authorization. Patch to 30.2.7, 31.2.2-2p3, or 32.1.2.

4 min read
Back to all Security Alerts