Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1961+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-47869: Second RCE Code Injection Path in VMware Avi Load Balancer
CVE-2026-47869: Second RCE Code Injection Path in VMware Avi Load Balancer
SECURITYHIGHCVE-2026-47869

CVE-2026-47869: Second RCE Code Injection Path in VMware Avi Load Balancer

Broadcom discloses a second CVSS 8.7 code injection vulnerability in VMware Avi Load Balancer. CVE-2026-47869 shares the same vector and impact as CVE-2026-47867, indicating a distinct injection point within the same component requiring the same patches.

Dylan H.

Security Team

July 18, 2026
4 min read

Affected Products

  • VMware Avi Load Balancer 22.1.1–22.1.7, 30.1.1–30.2.6, 31.1.1–31.2.2, 32.1.1

Overview

Alongside three other vulnerabilities in VMware Avi Load Balancer, Broadcom disclosed CVE-2026-47869 on July 18, 2026—a second remote code execution vulnerability arising from code injection in the Avi Control Plane. With a CVSS score of 8.7 (High), this flaw is functionally similar to its companion CVE-2026-47867, sharing the same vulnerability class (CWE-94), CVSS vector, and affected version ranges.

The presence of two distinct code injection CVEs with identical scoring suggests Broadcom identified multiple independent injection entry points within the same system component during their security review.

Technical Details

AttributeValue
CVE IDCVE-2026-47869
CVSS Score8.7 (High)
CVSS VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWECWE-94 — Improper Control of Code Generation (Code Injection)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredHigh
User InteractionNone
ScopeChanged

Like CVE-2026-47867, this vulnerability is a network-reachable code injection flaw in the Avi Control Plane. The Changed scope (S:C) means successful exploitation can affect resources outside the immediate security boundary of the Avi appliance. Both high confidentiality and high integrity impacts are confirmed; availability is not impacted.

Affected Versions

Version RangeStatusPatched Version
22.1.1 – 22.1.7VulnerableUpgrade to 30.2.7
30.1.1 – 30.2.6VulnerableUpgrade to 30.2.7
31.1.1 – 31.2.2VulnerableUpgrade to 31.2.2-2p3
32.1.1VulnerableUpgrade to 32.1.2

Relationship to CVE-2026-47867

CVE-2026-47869 and CVE-2026-47867 are two distinct vulnerabilities within the same product and vulnerability class:

AttributeCVE-2026-47867CVE-2026-47869
CVSS Score8.78.7
VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:NAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWECWE-94CWE-94
Patched By30.2.7 / 31.2.2-2p3 / 32.1.230.2.7 / 31.2.2-2p3 / 32.1.2

Despite their similarities, they are assigned separate CVE identifiers, indicating Broadcom's security team identified them as independently exploitable code paths. Patching one does not guarantee mitigation of the other—both require the same update to be fully remediated.

Risk Assessment

On its own, this vulnerability requires high privileges to exploit, limiting the attack surface to privileged Control Plane users. However, the concurrent disclosure of CVE-2026-47865 (unauthenticated authentication bypass, CVSS 9.8) means that in versions 22.1.x through 31.2.x, an unauthenticated attacker can chain these flaws:

  1. Bypass authentication via CVE-2026-47865 (no credentials)
  2. Gain additional access via CVE-2026-47866 (low-priv authorization bypass)
  3. Execute code via CVE-2026-47869 or CVE-2026-47867

The effective combined severity in unpatched pre-32.1.x environments is equivalent to an unauthenticated RCE with changed scope.

Remediation

Apply the same patches that address CVE-2026-47867.

Upgrade path:

  • If running 22.1.x or 30.1.x–30.2.6: upgrade to 30.2.7
  • If running 31.1.x–31.2.2: upgrade to 31.2.2-2p3
  • If running 32.1.1: upgrade to 32.1.2

No workarounds have been documented. Broadcom recommends upgrading as the only mitigation.

Recommendations

  1. Do not patch CVE-2026-47867 without also addressing CVE-2026-47869: Both injection paths must be closed. The same patch package resolves both.
  2. Treat as chained exploit risk: Organizations running 22.1.x–31.2.x should assume a full unauthenticated RCE chain exists until all four CVEs are patched.
  3. Isolate Control Plane access: Apply network-level controls to restrict Control Plane accessibility to management subnets only.
  4. Verify patch application: After upgrading, confirm the installed version matches or exceeds the patched target for your branch.

References

  • NVD Entry — CVE-2026-47869
  • NVD Entry — CVE-2026-47867 (companion RCE)
  • NVD Entry — CVE-2026-47865 (related auth bypass)
  • Broadcom Support Portal Advisory (authentication required)
#VMware#Avi Load Balancer#Remote Code Execution#Code Injection#Broadcom#CVE

Related Articles

CVE-2026-47867: Remote Code Execution via Code Injection in VMware Avi Load Balancer

A CVSS 8.7 code injection vulnerability in VMware Avi Load Balancer enables high-privileged authenticated attackers to execute arbitrary code on the Control Plane, with scope change impact extending beyond the vulnerable component.

3 min read

CVE-2026-47865: Critical Authentication Bypass in VMware Avi Load Balancer

A CVSS 9.8 authentication bypass vulnerability allows unauthenticated remote attackers to gain full access to the VMware Avi Load Balancer Control Plane. Broadcom has released patches across all affected version branches.

3 min read

CVE-2026-47866: Authorization Bypass in VMware Avi Load Balancer

A CVSS 8.3 authorization bypass vulnerability in VMware Avi Load Balancer allows low-privileged authenticated users to access restricted Control Plane resources without proper authorization. Patch to 30.2.7, 31.2.2-2p3, or 32.1.2.

4 min read
Back to all Security Alerts