Microsoft has published an off-schedule security update to correct critical vulnerability on ASP.NET Core that allows for the climbing of privileges. The failure, recorded as CVE-2026-40372, affects the cryptographic APIs of the data protection system (Data Protection) of ASP.NET Core and, under certain conditions, leaves the door open for an unauthenticated attacker to force cookies and other protected data to pass on as privileged users.
The problem came to light when several developers started to notice decrypt failures in their applications after installing the .NET 10.0.6 update distributed in this month's Patch Tuesday. In investigating, Microsoft detected a regression in the NuGet packages Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6: the component that generated and validated the HMAC label calculated the integrity control on incorrect bytes of the payload and, in some scenarios, ruled out the calculated hash. This combination allows apparently valid signatures to pass the authenticity checks and previously protected payloads - such as session cookies, anti-counterfeiting tokens, TempData or OIDC state - to be decipher or falsified. You can see the technical explanation in the notes in version 10.0.7 published by the .NET team: notes to version 10.0.7.
The practical consequences are worrying: if an attacker is able to authenticate with a privileged identity using forged payloads during the vulnerability window, the application could then issue legitimate tokens - for example, refresh tokens, API keys or password restoration links - that will remain valid even after applying the correction, unless a data protection key ring rotation is performed. Microsoft describes these implications in its security notice: MSRC advice on CVE-2026-40372.
The immediate measure recommended by Microsoft is to update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 and redeploy the affected applications as soon as possible so that the restored validation routine automatically rejects forged payloads. The .NET team summarized the instructions and risk in a technical statement where it requests all customers to act with priority: .NET blog entry on the OOB 10.0.7, and the updated package is available on the official download page: .NET 10.0 downloads.
It is not enough to just park: entities that could have been manipulated during the exposure window should consider the rotation of their keys Data Protection to invalidate legitimate tokens misissued. Official documentation on how data protection works and how to manage the key ring can serve as a guide for this process without interrupting services: Data Protection documentation in ASP.NET Core and key management guide.
Microsoft also clarified that, in addition to the possibility of supplanting identities and issuing legitimate tokens by the attacker, vulnerability can be exploited to reveal files or modify data stored by the application. However, according to the notice, this failure does not affect the availability of the system (for example, causing denial of service at the operating system level).
This incident is in addition to other recent serious vulnerabilities reported in the ASP.NET Core ecosystem. Last October Microsoft patched a "HTTP request smuggling" failure on the Kestrel web server that received particularly high severity and allowed authenticated attackers to kidnap credentials from other users, avoid front controls or even cause the server to fall; that vulnerability is recorded as CVE-2025-55315. The repetition of critical problems in web infrastructure components highlights the need to apply patches with agility and to maintain in-depth defence controls.
For managers and development teams, the practical road map is clear: update to package 10.0.7, refold services, review logs and unusual access signals during the vulnerable window and, if there is a suspicion of exposure, rotate data protection keys and revoke sensitive tokens. Microsoft keeps a record of the platforms and configurations affected in the official ad accompanying the correction: announcement in GitHub about the update.
Finally, it should be recalled that Microsoft has continued to publish off-cycle updates for other problems identified following the April 2026 updates, and that the security of modern web applications depends on both fast and practical patches such as configuration hardening, active monitoring and privilege segregation. If you manage ASP.NET Core applications using Data Protection, act now: patch, display and validate the integrity of your keys and tokens.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...