Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Cryptographic signature verification bypass in ASP.NET Core 10.0 enables remote unauthenticated attackers to forge authentication tokens and gain unauthorized access to protected resources. Tagged as a JWT attack involving authentication bypass, this vulnerability allows complete compromise of confidentiality and integrity without requiring any special conditions (AV:N/AC:L/PR:N/UI:N). Microsoft has released a security update addressing this flaw. No active exploitation confirmed in CISA KEV at time of analysis, though the authentication bypass nature and network-accessible attack surface present significant risk for widely deployed ASP.NET Core applications.
Technical ContextAI
ASP.NET Core 10.0 implements JSON Web Token (JWT) authentication for API authorization and identity verification. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature), indicating the framework fails to properly validate JWT signature integrity during token authentication. This allows attackers to manipulate or forge JWTs that bypass signature verification checks. The affected CPE (cpe:2.3:a:microsoft:asp.net_core_10.0) identifies Microsoft ASP.NET Core version 10.0 as the impacted platform. JWT attacks typically exploit weaknesses in algorithm selection (e.g., 'none' algorithm acceptance), key confusion, or insufficient signature validation logic, enabling token forgery without possessing the signing secret.
RemediationAI
Apply the security update released by Microsoft immediately per guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372. The vendor advisory specifies the exact patched version resolving the signature verification flaw. Organizations unable to patch immediately should implement compensating controls: restrict network access to ASP.NET Core APIs using firewall rules or VPN requirements to limit exposure to trusted networks only (trade-off: reduces accessibility for legitimate remote users), implement additional authentication layers such as API gateways with independent JWT validation (trade-off: increased latency and architectural complexity), or deploy Web Application Firewall rules to inspect and validate JWT structure and claims (trade-off: may require custom rule development and could introduce false positives). These mitigations reduce but do not eliminate risk; patching remains the definitive solution.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24249
GHSA-9mv3-2cwr-p262