Overview
VMware has disclosed CVE-2026-47871, a directory traversal vulnerability in its Avi Load Balancer product. Flaws in file path validation allow malicious authenticated users with network access to perform directory traversal attacks, potentially accessing sensitive files outside the intended directory scope.
With a CVSS v3.1 base score of 8.8 (High), this is the highest-severity vulnerability in the trio of Avi flaws disclosed on July 18, 2026.
Affected Versions
| Version Branch | Affected Range | Fixed Version |
|---|---|---|
| 32.x | 32.1.1 | 32.1.2 |
| 31.x | 31.1.1 – 31.2.2 | 31.2.2-2p3 |
| 30.x | 30.1.1 – 30.2.6 | 30.2.7 |
| 22.x | 22.1.1 and later (branch) | See VMware advisory |
Technical Details
Directory traversal vulnerabilities arise when an application does not properly sanitize user-supplied file path input, allowing an attacker to escape the intended directory by using path sequences such as ../. In this case, VMware Avi Load Balancer fails to adequately validate file paths for certain network-accessible operations.
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Changed (the flaw can impact resources outside the vulnerable component)
Impact: High Confidentiality, High Integrity, High Availability
The Changed scope and high impact ratings across CIA contribute to the elevated CVSS score of 8.8, distinguishing this from the companion privilege escalation flaws.
Potential Impact
Successful exploitation could allow an attacker to:
- Read sensitive configuration files (credentials, TLS certificates, API keys)
- Access system files outside the application sandbox
- Potentially write files to arbitrary locations, depending on the specific code path affected
Remediation
VMware has released patches to address this vulnerability:
- 32.x: Upgrade to 32.1.2 or later
- 31.x: Upgrade to 31.2.2-2p3 or later
- 30.x: Upgrade to 30.2.7 or later
Priority: Given the CVSS 8.8 score and Changed scope, patching CVE-2026-47871 should be the highest priority of the three Avi vulnerabilities disclosed simultaneously.
Mitigation
If immediate patching is not possible:
- Restrict management interface access — place Avi Load Balancer management plane on an isolated, privileged network segment
- Minimize authenticated user surface — reduce the number of accounts with API/management access to Avi
- Enable file integrity monitoring — detect unexpected file access or modification patterns on Avi nodes
- Monitor access logs — look for path traversal patterns (e.g.,
../sequences) in HTTP request logs
Context
This CVE is one of three VMware Avi Load Balancer vulnerabilities disclosed simultaneously. The full set is:
| CVE | Type | CVSS | Vector |
|---|---|---|---|
| CVE-2026-47868 | Local Privilege Escalation | 7.8 | Local |
| CVE-2026-47870 | Authenticated RCE | 7.1 | Network |
| CVE-2026-47871 | Directory Traversal | 8.8 | Network |
Organizations should patch all three in the same maintenance window.
References
- NVD Entry — CVE-2026-47871
- VMware Security Advisory (check Broadcom/VMware security portal for the official advisory)