Summary
CVE-2026-40372 is a critical ASP.NET Core Data Protection vulnerability caused by improper cryptographic signature verification in Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6. The flaw allows attackers to forge authentication cookies and protected payloads, potentially enabling privilege escalation and unauthorized access. Microsoft fixed the issue in version 10.0.7, and immediate patching, along with Data Protection key rotation, is strongly recommended.
Urgent Actions Required
- Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 or later immediately.
- Rebuild and redeploy all affected ASP.NET Core applications using the patched libraries or runtime.
- Rotate the Data Protection key ring to invalidate forged or previously issued malicious tokens.
- Review authentication logs and monitor for suspicious token activity or abnormal authentication attempts.
- Audit long-lived artifacts such as refresh tokens, password reset links, and API keys issued during the vulnerable period.
Which Systems Are Vulnerable to CVE-2026-40372?
Technical Overview
- Vulnerability Type: Improper Verification of Cryptographic Signature Leading to Privilege Escalation
-
Affected Software/Versions:
- Microsoft.AspNetCore.DataProtection 10.0.0 - 10.0.6
- ASP.NET Core 10.0.0 - 10.0.6
-
Affected Platforms:
- Linux
- macOS
-
CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
- Patch Availability: Yes, available
How Does the CVE-2026-40372 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-40372?
Vulnerability Root Cause:
This vulnerability is caused by improper cryptographic signature verification in Microsoft.AspNetCore.DataProtection versions 10.0.0 – 10.0.6. The managed authenticated encryptor incorrectly validates the HMAC of protected payloads, allowing specially crafted authentication data to bypass integrity checks. As a result, attackers can forge authentication cookies, antiforgery tokens, and other protected payloads that the application may incorrectly trust as legitimate, potentially leading to unauthorized access and privilege escalation.
How Can You Mitigate CVE-2026-40372?
If immediate patching is delayed or not possible:
- Monitor authentication endpoints for abnormal request patterns and suspicious token activity.
- Review logs for repeated requests involving authentication cookies, antiforgery tokens, or protected payloads.
- Rotate the Data Protection key ring to invalidate potentially forged tokens.
- Audit long-lived artifacts such as refresh tokens, API keys, and password reset links issued during the vulnerable period.
- Rebuild and redeploy applications after updating affected Data Protection packages or runtimes.
Which Assets and Systems Are at Risk?
-
Asset Types Affected:
- ASP.NET Core Applications - Applications using Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6
- Authentication Systems - Environments relying on authentication cookies, antiforgery tokens, TempData, or protected payloads
- Linux and macOS Deployments - Systems using the managed authenticated encryptor on non-Windows platforms
-
Business-Critical Systems at Risk:
- Internet-Facing Web Applications - Applications exposing authentication or protected endpoints to external users
- Administrative Interfaces - Systems where forged authentication tokens could provide elevated access
- API Services - Applications using protected tokens or session validation through ASP.NET Core Data Protection
- Applications Issuing Long-Lived Tokens - Systems generating refresh tokens, API keys, or password reset links
-
Exposure Level:
- Publicly Accessible ASP.NET Core Applications - Especially those running vulnerable Data Protection package versions
- Non-Windows Environments - Linux and macOS deployments using the affected managed encryptor path
- Applications Running Vulnerable Runtime or NuGet Packages - Deployments using Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6
Will Patching CVE-2026-40372 Cause Downtime?
Patch application impact: Low. Updating to Microsoft.AspNetCore.DataProtection 10.0.7 typically requires rebuilding and redeploying applications with minimal downtime. Restarting services may be required to load patched components.
Mitigation (if immediate patching is not possible): Monitor for suspicious authentication activity, rotate Data Protection keys, and audit tokens issued during the vulnerable period. Systems remain at risk until the official patch is applied.
How Can You Detect CVE-2026-40372 Exploitation?
Exploitation Signatures:
Look for abnormal request volume against endpoints that process authentication cookies, antiforgery tokens, or protected payloads. Repeated requests with varying cookie or query parameter values may indicate exploitation attempts.
MITRE ATT&CK Mapping:
- T1190 - Exploit Public-Facing Application
- T1539 - Steal Web Session Cookie
- T1550 - Use Alternate Authentication Material
Indicators of Compromise (IOCs/IOAs):
- Suspicious authentication cookie or protected payload activity
- Unexpected privileged authentication events
- Unusual requests targeting protected endpoints
Behavioral Indicators:
- Unauthorized privileged access through forged authentication payloads
- High-volume traffic against authentication-related endpoints
Alerting Strategy:
- Priority: Critical
-
Trigger alerts for:
- Repeated requests involving authentication cookies or protected payloads
- Suspicious privileged authentication activity
- High-volume requests targeting authentication endpoints
Remediation & Response
-
Remediation Timeline:
- Immediate: Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 or later.
- After patching: Rebuild and redeploy affected applications.
- Post-deployment: Rotate the Data Protection key ring and verify old, forged tokens are rejected.
-
Incident Response Considerations:
- Review logs for suspicious authentication activity and abnormal requests involving protected payloads.
- Audit refresh tokens, API keys, and password reset links issued during the vulnerable period.
- Monitor authentication endpoints for unusual request volume or token abuse attempts.
Compliance & Governance Notes
-
Audit Trail Requirement:
- Review logs for abnormal requests involving authentication cookies, antiforgery tokens, and protected payloads.
- Audit long-lived artifacts such as refresh tokens, API keys, and password reset links issued during the vulnerable period.
- Record key rotation and patch deployment activities.
See How Fidelis Deception® Helps Detect and Trap Attackers Early
- Intelligent decoys, breadcrumbs, and active deception capabilities
- Real-time visibility into attacker movement across your environment
- High-fidelity alerts and cyber terrain mapping for faster response
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.1 | Critical severity vulnerability with high security impact |
| Attack Vector | Network | Can be exploited remotely over the network |
| Attack Complexity | Low | Exploitation does not require complex conditions |
| Privileges Required | None | No authentication is needed for exploitation |
| User Interaction | None | Exploitation does not require user action |
| Scope | Unchanged | The vulnerability impacts the vulnerable application component |
| Confidentiality Impact | High | Attackers may access sensitive protected data |
| Integrity Impact | High | Attackers may forge authentication payloads or modify protected data |
| Availability Impact | None | No direct impact on system availability was reported |
References:
