Microsoft has issued an emergency patch addressing a high-severity vulnerability affecting the Microsoft.AspNetCore.DataProtection NuGet package. The flaw, tracked as CVE-2026-40372, impacts versions 10.0.0 through 10.0.6 of the package and allows unauthenticated attackers to potentially gain SYSTEM privileges on devices running web development frameworks on macOS or Linux.
The critical flaw stems from an issue with the faulty verification of cryptographic signatures during the HMAC validation process. Exploitation allows attackers to forge authentication payloads. These forged payloads can be used to impersonate privileged users and potentially induce the application to issue legitimately-signed tokens, such as session refresh keys, API keys, or password reset links, directly to the attacker.
These compromised tokens remain valid even after upgrading to version 10.0.7, unless the DataProtection key ring is rotated. Microsoft has emphasized that simply updating the package is not enough to ensure security.
Furthermore, the vulnerability creates a risk that persists even after patching. If an attacker successfully used forged payloads to authenticate as a privileged user during the vulnerable window, the resulting credentials must be purged at the application layer.
Microsoft advises that all users who utilize ASP.NET Core Data Protection should update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 immediately to fix both the security vulnerability and a related decryption regression bug.
The vulnerability specifically affects applications running on non-Windows operating systems, including macOS and Linux, which loaded the vulnerable version at runtime. Windows applications are not affected because DataProtection by default uses encryptors that do not contain the bug.
For users whose applications served Internet-exposed endpoints while utilizing a vulnerable version, key rotation is mandatory. In addition to rotating the DataProtection key ring, users must audit and rotate any application-level, long-lived artifacts that may have been created during the vulnerable period, as these artifacts will survive key rotation.
The company noted that while the package is designed to allow runtime components and APIs to evolve quickly, the severity rating for CVE-2026-40372 is 9.1 out of 10.