Skip to main content

Microsoft CVE-2026-40305

MEDIUM
Improper Authorization (CWE-285)
2026-04-17 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 18, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 22:09 vuln.today
Analysis Generated
Apr 17, 2026 - 21:45 vuln.today
CVE Published
Apr 17, 2026 - 21:06 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.

AnalysisAI

DNN (DotNetNuke) Platform versions 6.0.0 through 10.2.1 allow authenticated users to bypass authorization controls in the friends feature and force acceptance of friend requests on behalf of other users, resulting in unauthorized relationship modifications. The vulnerability requires valid user credentials (PR:L) and affects the integrity of user social graphs without exposing sensitive data. No public exploit code or active exploitation has been confirmed; vendors have released patched version 10.2.2.

Technical ContextAI

DNN Platform is a Microsoft-ecosystem content management system built on ASP.NET that includes a friends/contacts feature allowing users to manage social relationships within the platform. The vulnerability stems from inadequate authorization validation (CWE-285: Improper Authorization) in the friends request acceptance mechanism, where the application fails to properly verify that the user accepting a friend request is the intended recipient or has explicit authorization to do so. This is a logic flaw in the business logic layer rather than a cryptographic or input validation issue. The affected versions span from 6.0.0 onward, indicating the vulnerability was introduced during a major feature release and persisted for approximately four years before remediation.

RemediationAI

Upgrade DNN Platform to version 10.2.2 or later immediately; this is the vendor-released patch that directly addresses the authorization bypass. Organizations unable to upgrade immediately should restrict access to the friends feature using DNN's role-based access control (RBAC) by disabling the friends module for user roles where the feature is not essential, or by implementing network-level restrictions on the friends feature endpoints to authenticated internal networks only. Note that disabling the feature entirely eliminates the attack surface but may impact user experience if the platform is used for internal collaboration. As an interim compensating control, implement enhanced logging and monitoring of friend request acceptance events to detect unusual patterns such as bulk acceptance or acceptance by users from different network segments. This monitoring cannot prevent the attack but enables rapid incident response and user notification. Complete remediation requires deployment of version 10.2.2, as no partial mitigation fully closes the authorization flaw.

Share

CVE-2026-40305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy