Home

Description

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .

PUBLISHED Reserved 2026-01-09 | Published 2026-02-25 | Updated 2026-02-26 | Assigner vmware




MEDIUM: 6.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
affected

8.18.0 (custom) before 8.18.6
affected

8.18.6
unaffected

Default status
affected

4.0 (custom) before 5.2.3
affected

9.0 (custom) before 9.0.2
affected

5.2.3
unaffected

9.0.2
unaffected

Default status
affected

4.0 (custom) before 5.2.3
affected

5.2.3 (custom)
unaffected

Default status
affected

2.0 (custom) before 5.2.3
affected

5.2.3 (custom)
unaffected

References

support.broadcom.com/...l/content/SecurityAdvisories/0/36947 (VMSA-2026-0001: VMware Aria Operations updates (includes CVE-2026-22721)) vendor-advisory

techdocs.broadcom.com/...-operations-8186-release-notes.html (VMware Aria Operations 8.18.6 Release Notes (resolves CVE-2026-22721)) release-notes

cve.org (CVE-2026-22721)

nvd.nist.gov (CVE-2026-22721)

Download JSON