Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures
April 23, 2026
Vercel got breached. Here is what that means for everyone downstream.
April 19, 2026
When the System Built to Warn Us Can No Longer Keep Pace
April 15, 2026
Your AI Agent Remembers Your Secrets
April 13, 2026
Your Home Directory is a Secret Goldmine for Attackers
April 6, 2026
When a core npm dependency becomes the attack path: lessons from the Axios compromise
March 31, 2026
When the AI dependency becomes the attack path: lessons from the LiteLLM PyPI compromise
March 24, 2026
When the security scanner becomes the attack path: lessons from the Trivy compromise
March 23, 2026
Critical Path Traversal Vulnerability in jsPDF Library (CVE-2025-68428)
January 6, 2026
MongoBleed: Unauthenticated Memory Disclosure in MongoDB (CVE-2025-14847)
December 27, 2025
Critical Remote Code Execution in n8n Workflow Automation: CVE-2025-68613
December 19, 2025
The Return of Shai-Hulud: npm's Worm Strikes Back
November 24, 2025
Critical Chrome Zero-Day Exploited: Google Rushes Emergency Patch for CVE-2025-0411
October 28, 2025
Critical Remote Code Execution Vulnerability in React Server Components
December 3, 2025
Vulnerability AnalysisApril 23, 20267 min read

Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures

CVE-2026-40372 is a CVSS 9.1 regression in Microsoft.AspNetCore.DataProtection that discards HMAC validation entirely on non-Windows systems. An attacker can forge auth cookies, decrypt protected payloads, and issue themselves valid tokens. Here is what happened, who is affected, and what to do right now.

On April 23, 2026, Microsoft released an out-of-band emergency patch for CVE-2026-40372, a critical regression in the Microsoft.AspNetCore.DataProtection NuGet package. The vulnerability carries a CVSS v3.1 score of 9.1 and its vector tells you most of what you need to know: no authentication required, no user interaction, accessible over the network.

The DataProtection API is how ASP.NET Core protects authentication cookies, antiforgery tokens, session state, password reset links, and OIDC state parameters. When that layer fails silently, an attacker does not need to find a separate injection point. The protection mechanism itself becomes the vulnerability.

What broke, technically

The flaw is a regression in the managed authenticated encryptor, classified as CWE-347: Improper Verification of Cryptographic Signature. Two distinct failure modes exist in the affected build:

  • The HMAC validation tag is computed over the wrong bytes of the payload, meaning the integrity check runs but checks the wrong data.
  • In some code paths, the computed hash is discarded entirely before the comparison step, bypassing integrity verification completely.

The practical consequence is that an attacker who can observe a valid protected payload — say, an authentication cookie — can modify it and resubmit it without the server detecting the tampering. With a bit more work, they can craft entirely new payloads and have them accepted as legitimate by the application.

This is not an exploit that requires sophisticated tooling. Any HTTP client and a working understanding of the DataProtection format is sufficient once the integrity check is gone.

Who is affected

The vulnerability is narrow in its version scope but broad in its impact for those who hit it:

  • Affected package: Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6
  • Platform restriction: The regression only manifests on non-Windows operating systems — Linux and macOS deployments
  • Fixed version: 10.0.7 or later

The Windows exclusion may feel like a relief for some teams, but it is worth pausing on. The majority of production ASP.NET Core deployments in the last two years have shifted toward Linux containers. If your application runs in Docker, Kubernetes, or any Linux-based cloud runtime, the platform restriction does not protect you.

The affected package version also has broad blast radius through transitive dependencies. You may not have directly declared Microsoft.AspNetCore.DataProtection in your project, but if any of your dependencies pulled in 10.0.6, you are running the vulnerable code at runtime.

What an attacker can do with this

The full exploitation surface is significant. DataProtection underpins several mechanisms in a typical ASP.NET Core application:

  • Authentication cookies — forge a session for any user, including administrators, without knowing their password
  • Antiforgery tokens — bypass CSRF protections on state-changing endpoints
  • Password reset and email confirmation links — generate valid tokens for arbitrary accounts
  • OIDC state parameters — manipulate OAuth flows to redirect authentication to attacker-controlled endpoints
  • TempData payloads — tamper with server-side state passed between requests
  • Decryption of previously captured traffic — if an attacker archived protected payloads from the vulnerable window, those can now be decrypted

The most critical scenario is authentication cookie forgery. An attacker who knows the user identifier for an admin account — often just an email address or a sequential integer — can construct a valid session cookie without ever interacting with the login endpoint. No credentials, no brute force, no phishing required.

What to do right now

The patch is available and upgrading is the only real fix. But patching alone is not sufficient if your application was exposed during the vulnerable window.

  • Upgrade immediately to Microsoft.AspNetCore.DataProtection 10.0.7 or later
  • Audit transitive dependencies — check your lock file for any package that pulls in the vulnerable version, not just direct references
  • Rotate the DataProtection key ring — tokens issued during the vulnerable window remain cryptographically valid after the upgrade unless you rotate keys. Existing sessions, password reset links, and OIDC tokens all need to be invalidated
  • Force reauthentication for all active sessions, particularly those with elevated privileges
  • Audit long-lived tokens — password reset links and API tokens issued between the deployment of 10.0.0 and the patch have unknown integrity and should be expired
  • Review authentication logs for unusual session creation patterns, especially sessions that do not correspond to a preceding login event
  • Rotate application secrets stored as DataProtection payloads — connection strings, API credentials, or any value your application protected with the API during the exposure window

The key rotation step is the one most teams will skip. It is also the step that matters most. Upgrading to 10.0.7 stops new forgeries. Rotating the key ring invalidates anything that may have been forged before you patched.

The regression problem

Something worth noting about the nature of this vulnerability: it is a regression, not a design flaw. The DataProtection API worked correctly before 10.0.0. Something introduced in that version broke the HMAC validation in a way that was not caught before release and was not caught through six subsequent patch versions.

Cryptographic code is notoriously difficult to regression-test because incorrect implementations often look correct at the unit test level. A test that checks whether a payload roundtrips successfully through protect and unprotect will pass even when the HMAC is computed over the wrong bytes — the payload still decrypts, the test still passes, and the integrity violation is invisible.

Catching this class of bug requires adversarial tests: can a tampered payload be accepted? Can a payload forged without access to the key be verified? Those tests are rarely written because developers tend to test the happy path. This incident is an argument for making adversarial cryptographic tests a first-class part of any security-critical library’s test suite.

Where Prismor fits

When a vulnerability like this lands, the first question is not “are we using ASP.NET Core?” — most teams know that. The harder question is: which services are running 10.0.6 specifically, on Linux, and were they internet-facing during the exposure window?

Answering that requires knowing your dependency graph across every service and deployment, not just the ones someone remembers to check. The window between “patch released” and “every affected instance actually updated” is where the real risk lives. And for transitive dependencies, that window is longer because teams frequently do not realize they are carrying the vulnerable version at all.

Inventory is what closes that window. Knowing what is running, where, and with which dependency versions is what turns a fire drill into a twenty-minute remediation.

Source: dotnet/announcements — CVE-2026-40372 ASP.NET Core DataProtection Privilege Escalation Vulnerability