CVE-2026-47871 in Avi Load Balancerinfo

Summary

by MITRE • 07/18/2026

VMware Avi Load Balancer contains a directory traversal vulnerability. Flaws in file path validation allow malicious, authenticated network users to perform directory traversal attacks.

Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/18/2026

The VMware Avi Load Balancer directory traversal vulnerability represents a critical security flaw that undermines the integrity of network infrastructure components. This vulnerability exists within the application's file path validation mechanisms, specifically affecting versions ranging from 32.1.1 through 22.1.7 across multiple release series. The flaw permits authenticated attackers with network access to exploit improper input sanitization techniques that fail to adequately validate user-supplied file paths. Such weaknesses create pathways for malicious actors to traverse directory structures beyond intended boundaries, potentially accessing sensitive system files and configuration data.

The technical implementation of this vulnerability stems from inadequate validation of file path parameters within the Avi Load Balancer's web interface and API endpoints. When legitimate users submit file references or path parameters, the system fails to properly sanitize or validate these inputs against established security protocols. This validation failure creates opportunities for attackers to append directory traversal sequences such as ../ or ..\ to manipulate file access patterns. The vulnerability directly aligns with CWE-22, which categorizes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.

From an operational standpoint, this vulnerability poses significant risks to organizations relying on VMware Avi Load Balancer for critical network services. An authenticated attacker could potentially access system configuration files, log data, credential stores, and other sensitive information stored within the appliance's file system. The impact extends beyond simple data exposure as successful exploitation may enable further attacks including privilege escalation, system compromise, or denial of service conditions. Network administrators face potential unauthorized access to load balancer configurations that control traffic routing, SSL termination settings, and virtual service definitions.

The security implications of this vulnerability align with ATT&CK technique T1083, which covers the discovery of file and directory permissions. Attackers leveraging this flaw could systematically explore the target system's file structure, identifying valuable assets and potential escalation paths. The authentication requirement reduces the attack surface compared to unauthenticated vulnerabilities but still represents a serious concern given that legitimate users typically maintain access to these systems. Organizations implementing security monitoring should prioritize detection of unusual file access patterns or path traversal attempts in network logs.

Mitigation strategies for this vulnerability include immediate deployment of patched versions as specified in the vendor advisories, with version 32.1.2 addressing the 32.1.1 affected release, 31.2.2-2p3 resolving issues in 31.1.1 through 31.2.2, 30.2.7 correcting problems in 30.1.1 through 30.2.6, and the same 30.2.7 patch addressing the 22.1.1 through 22.1.7 affected versions. Network segmentation and access control measures should be implemented to limit exposure of the load balancer interfaces to only authorized personnel. Additionally, organizations should conduct thorough security assessments of their Avi Load Balancer deployments, reviewing configuration settings and implementing monitoring for suspicious file access patterns that might indicate exploitation attempts.

Responsible

Vmware

Reservation

05/20/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!