• Executing an API call to PATCH /api/v1/infra/domains/default/security-policies/<security-policy-name> fails with a 400 Bad Request error.

• The response body indicates: Operation status: 'failure' Error: Found errors in the request

• The NSX Manager /var/log/proton/nsxapi.log displays a PolicyValidationException and error code PM500090 referencing a specific group UUID:

2026-04-17T07:05:21.456Z ERROR http-nio-127.0.0.1-7440-exec-1 DfwUtil 6717 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM500090" level="ERROR" subcomp="manager"] [/infra/domains/default/groups/######]

2026-04-17T07:05:21.457Z  WARN http-nio-127.0.0.1-7440-exec-1 TransactionRetryAspect 6717 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] BaseCommunicationMap com.vmware.nsx.management.policy.policyframework.service.AbstractCommunicationMapServiceImpl.createOrUpdate(CommunicationMapContainer, boolean) failed with class com.vmware.nsx.management.policy.validator.PolicyValidationException.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

VMware NSX

The error is triggered because the API payload references a Group UUID or another object path that does not exist in the NSX inventory. Although a PATCH call is designed to create a policy if it is missing, the validation engine still checks that all referenced objects (such as security groups) are valid. If a referenced group has been deleted, the PolicyValidationException occurs.

This is a condition that may occur in a VMware NSX environment.

Workaround: To resolve this issue, perform the following steps:

1. Identify the missing object by reviewing the nsxapi.log for the specific path causing the failure (e.g., /infra/domains/default/groups/[UUID]).
2. Verify if the referenced group exists in the NSX UI under Inventory > Groups (or by searching for the UUID in the global search bar) .
3. Update the API payload or automation script (e.g., Ansible) to:
   • Remove the reference to the deleted group.
   • OR replace it with a valid existing Group UUID.
4. If the group is required, recreate it before re-running the PATCH request.

If you are contacting Broadcom support about this issue, please provide the following: NSX Manager support bundles, ESXi host support bundles, and the text of any error messages seen in the NSX GUI or command lines pertinent to the investigation.