Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1969+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-47871: VMware Avi Load Balancer Directory Traversal
CVE-2026-47871: VMware Avi Load Balancer Directory Traversal
SECURITYHIGHCVE-2026-47871

CVE-2026-47871: VMware Avi Load Balancer Directory Traversal

A directory traversal vulnerability in VMware Avi Load Balancer allows authenticated network users to bypass file path validation and access arbitrary...

Dylan H.

Security Team

July 19, 2026
3 min read

Affected Products

  • VMware Avi Load Balancer 22.1.x, 30.1.x - 30.2.6, 31.1.x - 31.2.2, 32.1.1

Overview

VMware has disclosed CVE-2026-47871, a directory traversal vulnerability in its Avi Load Balancer product. Flaws in file path validation allow malicious authenticated users with network access to perform directory traversal attacks, potentially accessing sensitive files outside the intended directory scope.

With a CVSS v3.1 base score of 8.8 (High), this is the highest-severity vulnerability in the trio of Avi flaws disclosed on July 18, 2026.

Affected Versions

Version BranchAffected RangeFixed Version
32.x32.1.132.1.2
31.x31.1.1 – 31.2.231.2.2-2p3
30.x30.1.1 – 30.2.630.2.7
22.x22.1.1 and later (branch)See VMware advisory

Technical Details

Directory traversal vulnerabilities arise when an application does not properly sanitize user-supplied file path input, allowing an attacker to escape the intended directory by using path sequences such as ../. In this case, VMware Avi Load Balancer fails to adequately validate file paths for certain network-accessible operations.

Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Changed (the flaw can impact resources outside the vulnerable component)
Impact: High Confidentiality, High Integrity, High Availability

The Changed scope and high impact ratings across CIA contribute to the elevated CVSS score of 8.8, distinguishing this from the companion privilege escalation flaws.

Potential Impact

Successful exploitation could allow an attacker to:

  • Read sensitive configuration files (credentials, TLS certificates, API keys)
  • Access system files outside the application sandbox
  • Potentially write files to arbitrary locations, depending on the specific code path affected

Remediation

VMware has released patches to address this vulnerability:

  • 32.x: Upgrade to 32.1.2 or later
  • 31.x: Upgrade to 31.2.2-2p3 or later
  • 30.x: Upgrade to 30.2.7 or later

Priority: Given the CVSS 8.8 score and Changed scope, patching CVE-2026-47871 should be the highest priority of the three Avi vulnerabilities disclosed simultaneously.

Mitigation

If immediate patching is not possible:

  • Restrict management interface access — place Avi Load Balancer management plane on an isolated, privileged network segment
  • Minimize authenticated user surface — reduce the number of accounts with API/management access to Avi
  • Enable file integrity monitoring — detect unexpected file access or modification patterns on Avi nodes
  • Monitor access logs — look for path traversal patterns (e.g., ../ sequences) in HTTP request logs

Context

This CVE is one of three VMware Avi Load Balancer vulnerabilities disclosed simultaneously. The full set is:

CVETypeCVSSVector
CVE-2026-47868Local Privilege Escalation7.8Local
CVE-2026-47870Authenticated RCE7.1Network
CVE-2026-47871Directory Traversal8.8Network

Organizations should patch all three in the same maintenance window.

References

  • NVD Entry — CVE-2026-47871
  • VMware Security Advisory (check Broadcom/VMware security portal for the official advisory)
#Vulnerability#CVE#VMware#Directory Traversal#Load Balancer

Related Articles

CVE-2026-47868: VMware Avi Load Balancer Local Privilege Escalation

A local privilege escalation vulnerability in VMware Avi Load Balancer allows malicious local users to execute code as root. Versions 22.x through 32.1.1...

2 min read

CVE-2026-47870: VMware Avi Load Balancer Authenticated Remote Code Execution

An authenticated privilege escalation flaw in VMware Avi Load Balancer enables network-connected users to execute remote code. CVSS 7.1 High — all...

2 min read

CVE-2026-16152: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability has been disclosed in SourceCodester Class and Exam Timetabling System 1.0. The flaw in /edit_rooma.php allows attackers to manipulate the ID parameter to perform unauthorized database operations with a public exploit already available.

2 min read
Back to all Security Alerts