CVE-2026-47866 in Avi Load Balancer
Summary
by MITRE • 07/18/2026
VMware Avi Load Balancer contains an authorization bypass vulnerability. A malicious actor on the network can access a limited subset of the Avi Control Plane without proper authorization.
Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/18/2026
The VMware Avi Load Balancer authorization bypass vulnerability represents a critical security flaw that allows unauthorized network actors to access restricted control plane functionalities. This vulnerability affects multiple version ranges spanning from 32.1.1 through 22.1.7, with specific patches released for each affected series. The flaw enables attackers to gain access to a limited subset of the Avi Control Plane without proper authentication credentials, potentially compromising the integrity and availability of load balancing operations. Such unauthorized access could enable malicious actors to manipulate traffic routing decisions, disrupt service availability, or extract sensitive configuration data from the load balancer infrastructure.
The technical nature of this authorization bypass stems from insufficient validation of access controls within the Avi Control Plane components. This vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems. The flaw likely manifests through weaknesses in the authentication mechanisms or role-based access control implementation that governs access to administrative functions. Attackers exploiting this vulnerability can potentially perform actions such as modifying load balancing rules, accessing monitoring data, or altering service configurations without proper authorization. This type of weakness creates a persistent threat vector that could be leveraged for more extensive attacks once initial unauthorized access is achieved.
The operational impact of this vulnerability extends beyond simple unauthorized access to include potential service disruption and data compromise within organizations relying on Avi Load Balancer deployments. Network-based attackers who can observe or interact with the control plane communications may exploit this flaw to gain unauthorized visibility into load balancing operations, potentially leading to targeted attacks against specific services or traffic patterns. The affected versions span several major release series, indicating a widespread exposure across different generations of the Avi platform. Organizations utilizing these vulnerable versions face significant risk of compromise, particularly in environments where the control plane is accessible from untrusted network segments.
Mitigation strategies should prioritize immediate patch deployment to address all affected version ranges as specified in the vendor advisories. System administrators must ensure that all instances of VMware Avi Load Balancer are updated to the patched versions to eliminate exposure to this authorization bypass vulnerability. Network segmentation and access control measures should be implemented to limit direct access to control plane interfaces from untrusted networks. Security monitoring should be enhanced to detect unusual access patterns or unauthorized attempts to interact with the control plane components. Organizations should also conduct comprehensive assessments of their Avi Load Balancer deployments to identify any additional security configurations that may be required to maintain operational integrity and prevent exploitation of this class of vulnerability.
This vulnerability demonstrates the importance of proper authorization controls in distributed systems and aligns with ATT&CK technique T1078 for Valid Accounts and T1566 for Phishing, as attackers may leverage unauthorized access to establish persistence or escalate privileges within affected environments. The remediation process should include thorough testing of patches in non-production environments before deployment to ensure compatibility with existing configurations and operational workflows.