CVE-2026-22721 MEDIUM

CVE-2026-22721: VMware Aria Operations privilege escalation vulnerability

Vendor Vmware

Product VMware Aria Operations

Weakness CWE-269

Published February 25, 2026

Last update February 27, 2026

View on NVD All CVEs

CVSS base score

6.2/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .

Key dates

02Disclosure timeline

February 25, 2026 CVE published

February 27, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22721 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/269.html

Related vulnerabilities

Identifiers

CVE CVE-2026-22721

CWE CWE-269

CVSS 6.2 / MEDIUM

Affected versions

Vendor Vmware

Product VMware Aria Operations

Affected ≥ 8.18.0 and < 8.18.6

Vendor Vmware

Product VMware Cloud Foundation

Affected ≥ 4.0 and < 5.2.3

Vendor Vmware

Product VMware Cloud Foundation

Affected ≥ 9.0 and < 9.0.2

Vendor Vmware

Product VMware Telco Cloud Platform

Affected ≥ 4.0 and < 5.2.3

Vendor Vmware

Product VMware Telco Cloud Infrastructure

Affected ≥ 2.0 and < 5.2.3

CVE-2026-22721: VMware Aria Operations privilege escalation vulnerability

01Description

02Disclosure timeline

03References

04Related CVE