Overview
Broadcom disclosed a high-severity remote code execution vulnerability in VMware Avi Load Balancer on July 18, 2026. Tracked as CVE-2026-47867 with a CVSS score of 8.7 (High), this code injection flaw allows a malicious authenticated user with network access to execute arbitrary code on the Avi Control Plane.
A notable aspect of this vulnerability is its Changed scope rating: successful exploitation can impact resources beyond the Avi Control Plane itself, such as adjacent systems or hypervisor-layer components.
Technical Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-47867 |
| CVSS Score | 8.7 (High) |
| CVSS Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CWE | CWE-94 — Improper Control of Code Generation (Code Injection) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
| Scope | Changed |
The vulnerability is classified as CWE-94 (Code Injection), indicating that user-controlled input is passed to a code execution context without adequate sanitization or restriction. The Changed scope (S:C) designation means that successful exploitation can affect a security scope beyond the vulnerable component—a particularly significant concern in multi-tenant or virtualized environments.
Despite requiring high privileges, this CVE is dangerous in combination with the simultaneously disclosed authentication bypass (CVE-2026-47865), which would allow an unauthenticated attacker to first gain access and then leverage this flaw for code execution.
Affected Versions
| Version Range | Status | Patched Version |
|---|---|---|
| 22.1.1 – 22.1.7 | Vulnerable | Upgrade to 30.2.7 |
| 30.1.1 – 30.2.6 | Vulnerable | Upgrade to 30.2.7 |
| 31.1.1 – 31.2.2 | Vulnerable | Upgrade to 31.2.2-2p3 |
| 32.1.1 | Vulnerable | Upgrade to 32.1.2 |
Note that 32.1.1 is affected by this RCE but not by CVE-2026-47865 (the authentication bypass), so the attack chain requires credentials in that version.
Risk Assessment
While CVE-2026-47867 requires high privileges in isolation, it must be assessed in the context of the four vulnerabilities disclosed simultaneously:
Attack chain scenario:
- Exploit CVE-2026-47865 (auth bypass, no credentials required) to gain Control Plane access
- Leverage CVE-2026-47866 (authorization bypass) to escalate effective permissions
- Use CVE-2026-47867 or CVE-2026-47869 (code injection RCE) to execute arbitrary code on the Control Plane
This chained scenario reduces the effective barrier for RCE to zero credentials required in versions prior to 32.1.x.
The Changed scope flag also means successful RCE could impact the underlying infrastructure beyond the Avi appliance itself.
Remediation
Broadcom has released patches for all affected version branches. No workarounds have been documented.
Upgrade path:
- If running 22.1.x or 30.1.x–30.2.6: upgrade to 30.2.7
- If running 31.1.x–31.2.2: upgrade to 31.2.2-2p3
- If running 32.1.1: upgrade to 32.1.2
Recommendations
- Patch in conjunction with all four CVEs: This RCE flaw was disclosed alongside CVE-2026-47865, CVE-2026-47866, and CVE-2026-47869. Apply the full update bundle.
- Assess chain risk: Even if your environment limits high-privileged users, the authentication bypass (CVE-2026-47865) nullifies that control. Treat this as a zero-auth RCE in affected pre-32.1.x versions.
- Review Control Plane network exposure: Restrict Control Plane access to trusted management networks while patching is scheduled.
- Check for companion CVE-2026-47869: Both CVEs are CWE-94 code injection flaws with identical CVSS vectors, likely representing two distinct injection points. Both need to be patched.
References
- NVD Entry — CVE-2026-47867
- NVD Entry — CVE-2026-47865 (related auth bypass)
- Broadcom Support Portal Advisory (authentication required)