TL;DR
Broadcom has patched seven vulnerabilities in VMware Avi Load Balancer under advisory VMSA-2026-0005. The most serious, CVE-2026-47865 (CVSS 9.8), is a critical authentication bypass. It lets an unauthenticated attacker on the network reach the Avi Control plane.
Why It Matters
A load balancer sits in front of critical application traffic. Therefore, its control plane is a high-value target. This VMware Avi Load Balancer flaw hands network attackers a path past authentication entirely. Because no workarounds exist, patching is the only defense.
How the Attacks Work
The Critical Authentication Bypass
CVE-2026-47865 allows a malicious user with network access to bypass the authentication mechanism. As a result, the attacker can reach the Avi Control plane directly. A second authentication bypass, CVE-2026-47866 (CVSS 8.3), exposes a limited subset of that control plane.
Code Execution and Privilege Flaws
The advisory also fixes two remote code execution bugs. CVE-2026-47867 (CVSS 8.7) lets a network attacker run code on the control plane. CVE-2026-47869 (CVSS 8.7) requires an authenticated user to inject and execute code. Meanwhile, CVE-2026-47868 (CVSS 7.8) and CVE-2026-47870 (CVSS 7.1) cover privilege escalation, and CVE-2026-47871 (CVSS 8.8) is a directory traversal flaw.
Affected Versions
The critical authentication bypass affects Avi Load Balancer branches 31.1.1 through 31.2.2, 30.2.1 through 30.2.6, and 22.1.1 through 22.1.7. Version 32.1.1 is affected by the other six flaws at Important severity.
Exploitation Status
Broadcom states the vulnerabilities were privately reported. No in-the-wild exploitation or public proof-of-concept has been confirmed at this time.
Patch and Mitigation
Broadcom provides no workarounds, so administrators must upgrade the Avi Controller. Version 32.1.2 is the recommended fixed release. Older branches move to 31.2.2-2p3 or 30.2.7, depending on the version in use. Review the response matrix in the official Broadcom advisory (VMSA-2026-0005) before patching. Broadcom credited Filip Waeytens (NATO NCIS) and Lang Khuong Duy (Viettel IDC) for reporting the issues.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.