Microsoft ships emergency .NET 10.0.7 update for ASP.NET Core privilege escalation flaw
4 min. read 
Published on
Microsoft has released .NET 10.0.7 as an out-of-band security update to fix CVE-2026-40372, a newly disclosed elevation of privilege vulnerability in the Microsoft.AspNetCore.DataProtection package. The company published the update on April 21, 2026, and says apps that use ASP.NET Core Data Protection should move to 10.0.7 as soon as possible.
The emergency release followed reports from developers who found that the earlier .NET 10.0.6 update was breaking decryption in their applications. Microsoft said that while investigating those failures, it discovered the deeper security issue behind them.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
At the core of the bug, Microsoft says the managed authenticated encryptor in affected package versions could calculate its HMAC validation tag over the wrong bytes of a payload and then discard the computed hash. That flaw could let an attacker forge authentication cookies and, in some cases, decrypt protected payloads, creating an avenue for privilege escalation.
Why this .NET bug matters
This issue matters because ASP.NET Core Data Protection sits behind common security features used in real applications, including authentication cookies and other protected state. GitHub’s advisory for Microsoft rates the flaw at CVSS 9.1 and says the bug affects Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6, with 10.0.7 as the patched release.
Microsoft’s security advisory adds an important warning for teams that may have been exposed during the vulnerable window. If attackers used forged payloads to authenticate as privileged users, an application may have issued valid tokens to them, and those tokens can remain valid even after upgrading unless the DataProtection key ring is rotated.
The impact also depends on how the package was deployed. GitHub’s advisory says the primary affected setup involves applications that loaded the vulnerable NuGet package at runtime, particularly on non-Windows systems, while some Windows deployments that rely on the shared framework copy are not affected in the same way.
What developers and admins should do now
Microsoft’s guidance is direct. Install .NET 10.0.7, confirm the runtime update with dotnet --info, then rebuild and redeploy apps with updated packages or images. Microsoft’s .NET blog also points users to updated installers, container images, Linux packages, and known issues documentation.
For internet-exposed applications that may have run in a vulnerable state, patching alone may not be enough. Microsoft’s announcement recommends rotating the DataProtection key ring so any legitimately signed tokens issued to attackers during that period become invalid. The company also advises teams to review long-lived artifacts such as refresh tokens, API keys, and password reset links that may have been created during the affected window.
The bigger lesson is that this was not just a routine servicing fix. Microsoft tied the out-of-band release directly to a security regression in Data Protection, and the public advisory shows the flaw can affect core authentication flows if the vulnerable package was actually loaded. For teams running ASP.NET Core workloads, this is a patch-now update.
CVE-2026-40372 at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-40372 |
| Fixed in | Microsoft.AspNetCore.DataProtection 10.0.7 |
| Affected versions | 10.0.0 through 10.0.6 |
| Release type | Out-of-band security update |
| Release date | April 21, 2026 |
| Main risk | Forged authentication cookies and possible decryption of protected payloads |
| Severity | CVSS 3.1 score 9.1 |
| Main action | Upgrade, redeploy, and consider key ring rotation |
Immediate response checklist
- Upgrade Microsoft.AspNetCore.DataProtection to 10.0.7 or later and redeploy affected apps.
- Run
dotnet --infoand confirm systems report version 10.0.7. - Rebuild containerized and packaged deployments with the updated runtime or SDK.
- Rotate the DataProtection key ring for affected internet-facing apps that ran during the vulnerable window.
- Review refresh tokens, API keys, password reset links, and other long-lived artifacts issued during that period.
FAQ
It is an ASP.NET Core elevation of privilege vulnerability in Microsoft.AspNetCore.DataProtection that Microsoft fixed in version 10.0.7.
Microsoft says it issued the release out of band after investigating decryption failures reported after .NET 10.0.6 and discovering the related security flaw.
The affected package versions are 10.0.0 through 10.0.6. The patched version is 10.0.7.
Not always. Microsoft says affected internet-facing applications may also need DataProtection key ring rotation and review of long-lived tokens or artifacts created during the vulnerable window.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages