CVE-2026-40372

Name of the Vulnerable Software and Affected Versions Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 Visual Studios 2026 version 18.5

Description Improper verification of cryptographic signatures in the Microsoft.AspNetCore.DataProtection library allows an unauthorized remote attacker to elevate privileges over a network. This issue enables the forgery of authentication cookies and the decryption of certain protected payloads, potentially granting the attacker SYSTEM-level access. Real-world incidents have been reported where attackers forged authentication tokens to escalate to administrator privileges and subsequently performed lateral movement. The flaw is particularly impactful on non-Windows operating systems, such as Linux and macOS, and can be exploited via a padding-oracle condition, which requires a high volume of requests against endpoints that accept protected payloads, such as authentication cookies, antiforgery tokens, or state parameters.

Recommendations Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 or later and redeploy the application. Rotate the DataProtection key ring to invalidate any legitimately-signed tokens issued to attackers during the vulnerable window. Audit application-level long-lived artifacts created during the vulnerable window, such as API keys, refresh tokens, access tokens, password reset links, or email-confirmation tokens, and rotate them at the application layer. Rotate any long-lived secrets, such as database connection strings or third-party API keys, that were stored in plaintext inside IDataProtector.Protect output. Review web server logs for anomalous high-volume traffic against endpoints accepting protected payloads to identify potential exploitation attempts.