ThreatLevelBeta
Planned Fix

CVE-2026-40372

Microsoft Pre-Auth Auth Bypass in ASP.NET Core DataProtection
Loading...

Summary

Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6 can verify HMAC tags over the wrong bytes, letting a remote attacker forge protected payloads. In ASP.NET Core apps that load the vulnerable NuGet package at runtime on Linux, macOS, or other non-Windows systems, forged cookies or tokens can be used to impersonate privileged users and escalate to SYSTEM. The flaw can also expose protected data such as authentication cookies and antiforgery tokens.

Why Planned Fix?

4/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Not exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
Authentication Bypass
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
No
Impact

Forge protected cookies or tokens to impersonate privileged users and reach SYSTEM-level privilege on the host.

Privilege Escalation
Exploitation Requirements
  • Microsoft.AspNetCore.DataProtection 10.0.6 in use
  • NuGet package is loaded at runtime
  • Application runs on Linux, macOS, or other non-Windows OS
Exploitation Process

An attacker targets an ASP.NET Core application that uses Microsoft.AspNetCore.DataProtection 10.0.6 loaded from NuGet on a non-Windows host. They send a crafted protected blob or cookie whose integrity check is validated against the wrong payload bytes, causing the application to accept attacker-controlled data as authentic. With a forged authentication cookie or related token, the attacker can impersonate a higher-privileged user and trigger privileged actions, potentially ending in SYSTEM access.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft.AspNetCore.DataProtection10.0.0 through 10.0.6
Description

ASP.NET Core is Microsoft's cross-platform web framework for building web apps, APIs, and services on .NET.

Deployment:Mixed (internet/internal)
|
Protocol:HTTPS
|
Ports:80, 443
Affected ComponentMicrosoft.AspNetCore.DataProtection managed authenticated encryptor and HMAC validation for protected cookies, antiforgery tokens, and similar payloads.

Microsoft.AspNetCore.DataProtection managed authenticated encryptor and HMAC validation for protected cookies, antiforgery tokens, and similar payloads.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Upgrade Microsoft.AspNetCore.DataProtection to 10.0.7 or later and rebuild/redeploy applications using the updated package or runtime.

Upgrade Microsoft.AspNetCore.DataProtection to 10.0.7 or later and rebuild/redeploy applications using the updated package or runtime.

devblogs.microsoft.com
Threat Intelligence
EPSS Score0.0%

Probability of exploitation in the next 30 days

EPSS Percentile12%

Worse than 12% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.

CVSS Base Score

9.1
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-347 Improper Verification of Cryptographic Signature
|
NVD:CVE-2026-40372
|
Version From:
|
Version Upto:

Sources

5
SourceArticle
msrc.microsoft.comSecurity Update Guide: CVE-2026-40372
devblogs.microsoft.com.NET 10.0.7 Out-of-Band Security Update
nvd.nist.govCVE-2026-40372 Detail
www.tenable.comCVE-2026-40372
thehackernews.comMicrosoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

Priority History

Planned FixLoading...

Initial analysis