CVE-2026-47871
VMware · Avi Load Balancer
VMware Avi Load Balancer is vulnerable to directory traversal, which may allow an authenticated user to access sensitive files outside of the intended directory structure.
Executive summary
A directory traversal vulnerability in VMware Avi Load Balancer could allow an authenticated attacker to read or modify sensitive files on the host system.
Vulnerability
This is a directory traversal vulnerability (CWE-22) that allows an authenticated user to bypass path restrictions. The CVSS vector indicates that the attack is network-exploitable and requires only low privileges.
Business impact
With a CVSS score of 8.8, this high-severity vulnerability presents a critical threat to the confidentiality and integrity of the load balancer environment. An attacker could potentially extract sensitive configuration files, credentials, or system data, leading to a broader compromise of the network architecture managed by the load balancer.
Remediation
Immediate Action: Apply the vendor-supplied security updates immediately to resolve the directory traversal flaw.
Proactive Monitoring: Inspect web application firewall (WAF) and server access logs for suspicious path traversal sequences, such as dot-dot-slash patterns.
Compensating Controls: Implement strict file system permissions and ensure the application process runs with the minimum necessary privileges to limit the impact of potential directory access.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The high CVSS score and the nature of directory traversal vulnerabilities necessitate prompt remediation. Administrators should verify that all instances of the Avi Load Balancer are updated to the secure version to prevent potential unauthorized data exfiltration.