## Microsoft ASP.NET Core CVE-2026-40372: Critical Privilege Escalation Bug in DataProtection Library
A critical vulnerability in Microsoft's ASP.NET Core DataProtection library allows attackers to forge authentication cookies and decrypt protected payloads, enabling full privilege escalation. The flaw, tracked as CVE-2026-40372, resides in NuGet package versions 10.0.0 through 10.0.6. An attacker exploiting this bug can authenticate as a privileged user and induce the application to issue legitimately-signed tokens—such as session refresh tokens, API keys, or password reset links—to themselves.

The severity of this vulnerability is underscored by Microsoft's own comparison to MS10-070, a notorious 2010 padding-oracle attack that compromised ASP.NET's legacy encryption. The core danger lies in the persistence of the attack's effects: any tokens issued to an attacker during the vulnerable window remain valid even after upgrading to the patched version 10.0.7, unless administrators take the additional step of rotating the DataProtection key ring. This creates a two-part remediation challenge, leaving systems exposed if patching is not followed by key rotation.

This advisory signals a significant security failure in a core Microsoft web framework component, directly impacting the integrity of authentication and authorization systems for countless .NET applications. The requirement for key ring rotation adds operational complexity and risk of oversight, potentially leaving a persistent backdoor for attackers who gained access during the vulnerability window. The disclosure places immediate pressure on development and security teams to audit, patch, and rotate keys across all affected deployments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-40372, ASP.NET Core, Privilege Escalation, DataProtection, Security Vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-21 19:23:02
- **ID**: 74712
- **URL**: https://whisperx.ai/en/intel/74712