Cybersecurity & Protection

Critical flaw in VMware Avi Load Balancer lets attackers bypass authentication

Jul 18, 2026 2 min read
All articles

Broadcom has patched several security vulnerabilities in VMware Avi Load Balancer. The most severe allows attackers with network access to the Avi Controller to bypass authentication entirely.

Critical and high-severity CVEs

The most dangerous flaw (CVE-2026-47865, CVSS 9.8) is rated critical. Malicious actors with network access to the Avi Controller interface can skip the login step altogether. Broadcom's security advisory does not explain the exact attack vector.

Additional high-severity vulnerabilities include a directory traversal flaw (CVE-2026-47871, CVSS 8.8) and a code injection issue in the Avi Controller (CVE-2026-47867, CVSS 8.7). Authenticated users can also inject and execute malicious code (CVE-2026-47869, CVSS 8.7). Further issues cover unauthorized access to controller settings (CVE-2026-47866, CVSS 8.3) and a privilege escalation that lets local users run code as root (CVE-2026-47868, CVSS 7.8). A networked variant of the privilege escalation affects authenticated remote attackers as well (CVE-2026-47870, CVSS 7.1).

Available updates

Broadcom has released fixes across multiple branches. Patched versions are VMware Avi Load Balancer 32.1.2, 31.2.2-2p3, and 30.2.7. Users still running versions 22.1.1 through 22.1.7 should migrate to 30.2.7. Applying the update promptly is strongly recommended.