EXECUTIVE SUMMARY:
CVE-2026-40372 with a CVSS score of 9.1 is a critical authentication bypass vulnerability affecting the Microsoft .AspNetCore .DataProtection library in .NET 10, specifically targeting versions 10.0.0 through 10.0.6. The flaw stems from a bug in the DataProtection NuGet packages, enabling attackers to forge authentication cookies to log in as highly privileged users, ultimately leading to the issuance of legitimate long-lived tokens such as API keys, password reset links, or session refresh tokens. An attacker can exploit this vulnerability via the attack vector of submitting crafted requests to an application running on Linux, macOS, or other non-Windows operating systems, requiring no elevated privileges beyond standard user access. This allows the attacker to gain the capability to induce the application to issue tokens that remain valid even after patching, resulting in significant business impact and consequences, including the potential exposure of sensitive data such as database connection strings or third-party API keys, and the need for a multi-step remediation process to revoke existing keys and invalidate any forged tokens.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40372 with a CVSS score of 9.1 is a critical authentication bypass vulnerability affecting the Microsoft .AspNetCore .DataProtection library in .NET 10, specifically targeting versions 10.0.0 through 10.0.6. The flaw stems from a bug in the DataProtection NuGet packages, enabling attackers to forge authentication cookies to log in as highly privileged users, ultimately leading to the issuance of legitimate long-lived tokens such as API keys, password reset links, or session refresh tokens. An attacker can exploit this vulnerability via the attack vector of submitting crafted requests to an application running on Linux, macOS, or other non-Windows operating systems, requiring no elevated privileges beyond standard user access. This allows the attacker to gain the capability to induce the application to issue tokens that remain valid even after patching, resulting in significant business impact and consequences, including the potential exposure of sensitive data such as database connection strings or third-party API keys, and the need for a multi-step remediation process to revoke existing keys and invalidate any forged tokens.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update .NET to version 10.0.7, and upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/dotnet-10-authentication-bypass-cve-2026-40372-remediation/#google_vignette