Microsoft has released an out-of-band security update for a critical vulnerability in ASP.NET Core that could allow attackers to escalate privileges by abusing flaws in the platform’s Data Protection component.
The vulnerability, tracked as CVE-2026-40372, affects the Microsoft.AspNetCore.DataProtection NuGet package and has been fixed with version 10.0.7. According to Microsoft’s advisory, the issue is caused by improper verification of cryptographic signatures in ASP.NET Core. In practical terms, this means that protected application data — including authentication cookies, antiforgery tokens or other signed state information — may not have been validated correctly under certain conditions.
That makes the flaw particularly sensitive. ASP.NET Core Data Protection is not just another software library; it is part of the trust layer many web applications rely on to protect authentication and session-related data. If that layer can be bypassed, attackers may be able to forge payloads that appear legitimate to the application.
The issue became visible after users reported decryption problems following the .NET 10.0.6 update released during Microsoft’s April Patch Tuesday cycle. Microsoft later confirmed that a regression in affected Data Protection packages caused the managed authenticated encryptor to calculate validation data incorrectly in some cases.
The vulnerability has been assigned a CVSS score of 9.1, with Microsoft describing it as a network-exploitable privilege escalation issue that does not require prior authentication. Public advisories note that successful exploitation could allow an attacker to gain elevated privileges, disclose files or modify data, while availability is not believed to be directly affected.
For organizations, the key point is that patching alone may not always be enough. Microsoft and security vendors advise affected users to update to Microsoft.AspNetCore.DataProtection 10.0.7 as quickly as possible. However, if forged authentication material or other trusted tokens were created during the vulnerable window, they may remain valid until the application’s Data Protection key ring is rotated.
From a security operations perspective, the case shows why emergency patches in core development frameworks deserve immediate attention. This is not a classic endpoint vulnerability where the affected asset is easy to isolate. It sits inside application logic, identity handling and web trust mechanisms. For companies running ASP.NET Core applications, the priority should therefore be clear: identify affected packages, update immediately, redeploy applications and review whether key rotation or session invalidation is required.
The incident also underlines a broader lesson for enterprise security teams: modern application risk is increasingly tied to dependencies, frameworks and cryptographic implementation details. When a widely used platform component fails, the impact can extend far beyond a single vulnerable server.
