Microsoft
CVE-2026-40305
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.
AnalysisAI
DNN (DotNetNuke) Platform versions 6.0.0 through 10.2.1 allow authenticated users to bypass authorization controls in the friends feature and force acceptance of friend requests on behalf of other users, resulting in unauthorized relationship modifications. The vulnerability requires valid user credentials (PR:L) and affects the integrity of user social graphs without exposing sensitive data. No public exploit code or active exploitation has been confirmed; vendors have released patched version 10.2.2.
Technical ContextAI
DNN Platform is a Microsoft-ecosystem content management system built on ASP.NET that includes a friends/contacts feature allowing users to manage social relationships within the platform. The vulnerability stems from inadequate authorization validation (CWE-285: Improper Authorization) in the friends request acceptance mechanism, where the application fails to properly verify that the user accepting a friend request is the intended recipient or has explicit authorization to do so. This is a logic flaw in the business logic layer rather than a cryptographic or input validation issue. The affected versions span from 6.0.0 onward, indicating the vulnerability was introduced during a major feature release and persisted for approximately four years before remediation.
RemediationAI
Upgrade DNN Platform to version 10.2.2 or later immediately; this is the vendor-released patch that directly addresses the authorization bypass. Organizations unable to upgrade immediately should restrict access to the friends feature using DNN's role-based access control (RBAC) by disabling the friends module for user roles where the feature is not essential, or by implementing network-level restrictions on the friends feature endpoints to authenticated internal networks only. Note that disabling the feature entirely eliminates the attack surface but may impact user experience if the platform is used for internal collaboration. As an interim compensating control, implement enhanced logging and monitoring of friend request acceptance events to detect unusual patterns such as bulk acceptance or acceptance by users from different network segments. This monitoring cannot prevent the attack but enables rapid incident response and user notification. Complete remediation requires deployment of version 10.2.2, as no partial mitigation fully closes the authorization flaw.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today