CVE-2026-40372: Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege

A bug in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages can give an attacker the opportunity to execute an Elevation of Privilege attack by forging authentication cookies, and also allows some protected payloads to be decrypted.

If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.

This is comparable in capability to MS10-070, which exploited a similar padding-oracle condition in ASP.NET’s legacy encryption infrastructure.