Overview
Alongside three other vulnerabilities in VMware Avi Load Balancer, Broadcom disclosed CVE-2026-47869 on July 18, 2026—a second remote code execution vulnerability arising from code injection in the Avi Control Plane. With a CVSS score of 8.7 (High), this flaw is functionally similar to its companion CVE-2026-47867, sharing the same vulnerability class (CWE-94), CVSS vector, and affected version ranges.
The presence of two distinct code injection CVEs with identical scoring suggests Broadcom identified multiple independent injection entry points within the same system component during their security review.
Technical Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-47869 |
| CVSS Score | 8.7 (High) |
| CVSS Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CWE | CWE-94 — Improper Control of Code Generation (Code Injection) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
| Scope | Changed |
Like CVE-2026-47867, this vulnerability is a network-reachable code injection flaw in the Avi Control Plane. The Changed scope (S:C) means successful exploitation can affect resources outside the immediate security boundary of the Avi appliance. Both high confidentiality and high integrity impacts are confirmed; availability is not impacted.
Affected Versions
| Version Range | Status | Patched Version |
|---|---|---|
| 22.1.1 – 22.1.7 | Vulnerable | Upgrade to 30.2.7 |
| 30.1.1 – 30.2.6 | Vulnerable | Upgrade to 30.2.7 |
| 31.1.1 – 31.2.2 | Vulnerable | Upgrade to 31.2.2-2p3 |
| 32.1.1 | Vulnerable | Upgrade to 32.1.2 |
Relationship to CVE-2026-47867
CVE-2026-47869 and CVE-2026-47867 are two distinct vulnerabilities within the same product and vulnerability class:
| Attribute | CVE-2026-47867 | CVE-2026-47869 |
|---|---|---|
| CVSS Score | 8.7 | 8.7 |
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CWE | CWE-94 | CWE-94 |
| Patched By | 30.2.7 / 31.2.2-2p3 / 32.1.2 | 30.2.7 / 31.2.2-2p3 / 32.1.2 |
Despite their similarities, they are assigned separate CVE identifiers, indicating Broadcom's security team identified them as independently exploitable code paths. Patching one does not guarantee mitigation of the other—both require the same update to be fully remediated.
Risk Assessment
On its own, this vulnerability requires high privileges to exploit, limiting the attack surface to privileged Control Plane users. However, the concurrent disclosure of CVE-2026-47865 (unauthenticated authentication bypass, CVSS 9.8) means that in versions 22.1.x through 31.2.x, an unauthenticated attacker can chain these flaws:
- Bypass authentication via CVE-2026-47865 (no credentials)
- Gain additional access via CVE-2026-47866 (low-priv authorization bypass)
- Execute code via CVE-2026-47869 or CVE-2026-47867
The effective combined severity in unpatched pre-32.1.x environments is equivalent to an unauthenticated RCE with changed scope.
Remediation
Apply the same patches that address CVE-2026-47867.
Upgrade path:
- If running 22.1.x or 30.1.x–30.2.6: upgrade to 30.2.7
- If running 31.1.x–31.2.2: upgrade to 31.2.2-2p3
- If running 32.1.1: upgrade to 32.1.2
No workarounds have been documented. Broadcom recommends upgrading as the only mitigation.
Recommendations
- Do not patch CVE-2026-47867 without also addressing CVE-2026-47869: Both injection paths must be closed. The same patch package resolves both.
- Treat as chained exploit risk: Organizations running 22.1.x–31.2.x should assume a full unauthenticated RCE chain exists until all four CVEs are patched.
- Isolate Control Plane access: Apply network-level controls to restrict Control Plane accessibility to management subnets only.
- Verify patch application: After upgrading, confirm the installed version matches or exceeds the patched target for your branch.
References
- NVD Entry — CVE-2026-47869
- NVD Entry — CVE-2026-47867 (companion RCE)
- NVD Entry — CVE-2026-47865 (related auth bypass)
- Broadcom Support Portal Advisory (authentication required)