DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40372: CVE-2026-40372: ASP.NET Core Elevation of Privilege Vulnerability

#security #cve #cybersecurity

CVE-2026-40372: ASP.NET Core Elevation of Privilege Vulnerability

Vulnerability ID: CVE-2026-40372
CVSS Score: 9.1
Published: 2026-04-21

A critical Elevation of Privilege (EoP) vulnerability exists in the Microsoft.AspNetCore.DataProtection library within ASP.NET Core 10.0. A logic flaw in the cryptographic signature verification routine of the Managed Authenticated Encryptor allows unauthorized attackers to bypass integrity checks by submitting an all-zero HMAC, enabling the forgery of protected payloads such as authentication cookies and antiforgery tokens.

TL;DR

ASP.NET Core 10.0 contains a critical EoP flaw (CVSS 9.1) where the managed DataProtection encryptor incorrectly validates payloads with an all-zero HMAC. Attackers can forge authentication cookies to gain administrative privileges without prior access. Patch to 10.0.7 and rotate cryptographic keys immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-347
  • Attack Vector: Network
  • CVSS v3.1 Score: 9.1 (Critical)
  • Impact: Elevation of Privilege / Authentication Bypass
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • Linux host environments running ASP.NET Core 10.0
  • macOS host environments running ASP.NET Core 10.0
  • Any system explicitly configured to use the Managed Authenticated Encryptor in .NET 10
  • ASP.NET Core: 10.0.0 - 10.0.6 (Fixed in: 10.0.7)
  • Microsoft.AspNetCore.DataProtection: 10.0.0 - 10.0.6 (Fixed in: 10.0.7)

Mitigation Strategies

  • Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 or higher.
  • Rotate the DataProtection key ring to invalidate previously forged payloads.
  • Audit logs for anomalous authentication patterns or high volumes of DataProtection decryption errors.
  • Revoke long-lived artifacts (API keys, password reset links) generated during the vulnerable window.

Remediation Steps:

  1. Identify all ASP.NET Core projects utilizing the net10.0 target framework.
  2. Update the Microsoft.AspNetCore.DataProtection NuGet package to version 10.0.7.
  3. Deploy the updated application binaries to the hosting environment.
  4. Execute an administrative script or deployment routine calling IKeyManager.RevokeAllKeys to rotate cryptographic keys.
  5. Monitor application logs to verify successful token reissuance for legitimate users.

References

Read the full report for CVE-2026-40372 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)