Skip to main content

Microsoft CVE-2026-40306

MEDIUM
Use of Insufficiently Random Values (CWE-330)
2026-04-17 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch released
Apr 18, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 00:18 vuln.today
CVSS changed
Apr 17, 2026 - 22:22 NVD
6.9 (MEDIUM)
Analysis Generated
Apr 17, 2026 - 21:45 vuln.today
CVE Published
Apr 17, 2026 - 21:09 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.

AnalysisAI

DNN (DotNetNuke) 10.0.0 through 10.2.1 installations use an identical Host GUID across all new deployments, enabling attackers to impersonate the host administrator account and gain unauthorized access to sensitive CMS functionality. This affects only fresh installations-upgrades from 9.x retain unique identifiers. The vulnerability requires network access to exploit but no authentication or user interaction, and is patched in version 10.2.2.

Technical ContextAI

DNN uses a Host GUID (Globally Unique Identifier) as a security token to authenticate host-level administrative actions within the CMS platform. GUIDs are cryptographic identifiers intended to be unique across all instances; a static or repeated Host GUID across deployments violates fundamental identity principles (CWE-330: Use of Insufficiently Random Values). The affected versions 10.0.0-10.2.1 appear to use a hardcoded or deterministically-generated GUID in installation routines, whereas version 9.x and upgrade paths from 9.x properly generate unique identifiers. Attackers who identify the canonical GUID used in new 10.x installations can craft requests impersonating any DNN host, bypassing role-based access controls tied to host identity.

RemediationAI

Upgrade to DNN Platform 10.2.2 or later immediately. For organizations unable to patch immediately, the primary workaround is to regenerate the Host GUID in the DNN database: query the Host table and replace the GUID column value with a newly generated unique identifier (using NEWID() in SQL Server or equivalent UUID function), then restart the application to flush caches. This requires database access and should be validated in a test environment first. Organizations should also audit access logs and database modification history on unpatched 10.x instances to identify unauthorized host-level activity. The patch itself is straightforward and carries no known compatibility issues. See the GitHub Security Advisory at https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2rhw-gw3f-477j for detailed remediation steps.

Share

CVE-2026-40306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy