Home / Vulnerability Intelligence / CVE-2026-40372

CVE-2026-40372 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 22, 2026

ASP.NET Core - Authentication Bypass

Published: April 21, 2026Updated: April 22, 2026Remote Exploitable

Overview

ASP.NET Core contains a broken authentication caused by improper verification of cryptographic signature, letting unauthorized attackers elevate privileges over a network, exploit requires network access.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 2.2%(Probability of exploitation in next 30 days)

Impact

Unauthorized attackers can elevate privileges over the network, potentially gaining unauthorized access or control.

Mitigation

Update to the latest version of ASP.NET Core.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372

Social Media Activity(2 posts)

Alexandre Dulaunoy

@adulau

Apr 28, 2026

The diversity of advisory is key. Look at how good the advisory of GitHub is compared to the others. https://db.gcve.eu/vuln/cve-2026-40372 #cve #vulnerability #vulnerabilitymanagement

View original post

HackMag — Top-notch cybersecurity magazine

@hackmag

Apr 28, 2026

⚪️ Microsoft Issues Emergency Patch for Critical ASP.NET Vulnerability 🗨️ Microsoft has released an out-of-band update for ASP.NET Core. The patch fixes a critical vulnerability in the Data Protection cryptographic APIs that allowed unauthenticated attackers to obtain SYSTEM privileges by forging authentication cookies. The vulnerability is tracked as CVE-2026-40372 and… 🔗 https://hackmag.com/news/asp-net-patch?utm_source=mastodon&utm_medium=social&utm_campaign=repost_hackmag_to_socials #news

View original post

Related Resources

Details

CVE ID: CVE-2026-40372
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: unconfirmed
EPSS: 2.2%
Social Posts: 2

CWE

CWE-347

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

2.2%Probability of exploitation in the next 30 days