CVE-2026-40372

ASP.NET Core Elevation of Privilege Vulnerability

CVSS 9.1 CRITICALEPSS 10.3%CWE-347

In short

ASP.NET Core doesn't properly verify digital signatures, allowing attackers to forge authentication credentials and gain unauthorized access to systems over the network.

Technical detail

The vulnerability stems from improper cryptographic signature verification in ASP.NET Core's authentication mechanism (CWE-347), enabling remote attackers to bypass signature validation and escalate privileges without prior authentication. This affects network-accessible ASP.NET Core applications and could lead to complete system compromise.

Summary generated and translated by AI from the official description.

Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

Affected products

Microsoft · ASP.NET Core 10.0 Microsoft · Microsoft Visual Studio 2026 version 18.5

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372