## Microsoft ASP.NET Core CVE-2026-40372: Critical Bug Allows Forged Authentication, Legacy-Scale Privilege Escalation
A critical vulnerability in Microsoft's ASP.NET Core framework allows attackers to forge authentication cookies and decrypt protected data, creating a direct path to full system compromise. The bug, tracked as CVE-2026-40372, resides in the `Microsoft.AspNetCore.DataProtection` NuGet packages versions 10.0.0 through 10.0.6. An attacker exploiting this flaw can execute an Elevation of Privilege attack, potentially authenticating as any user, including highly privileged administrators.

The technical impact is severe and far-reaching. If an attacker successfully forges payloads to impersonate a privileged user, they can trick the vulnerable application into issuing legitimately-signed tokens back to them. These tokens—which can include session refresh tokens, API keys, or password reset links—would be cryptographically valid. Microsoft's own advisory draws a direct and alarming parallel to the historic MS10-070 vulnerability, a notorious padding-oracle attack from 2010 that compromised ASP.NET's legacy encryption on a massive scale, indicating the potential severity of this new flaw.

Crucially, the danger does not end with a simple patch. Upgrading to the fixed version 10.0.7 does not automatically invalidate any tokens an attacker may have already obtained. These stolen credentials remain fully functional until administrators take the additional, manual step of rotating the application's DataProtection key ring. This creates a critical window where systems may appear patched but remain actively compromised, demanding immediate and thorough incident response from all affected development and security teams.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-40372, ASP.NET Core, Microsoft Security, Privilege Escalation, DataProtection
- **Credibility**: unverified
- **Published**: 2026-04-21 19:23:01
- **ID**: 74711
- **URL**: https://whisperx.ai/en/intel/74711