Skip to main content

ASP.NET Core CVE-2026-40372

| EUVDEUVD-2026-24249 CRITICAL
Improper Verification of Cryptographic Signature (CWE-347)
2026-04-21 microsoft GHSA-9mv3-2cwr-p262
9.1
CVSS 3.1 · Vendor: microsoft
Temporal: 7.9
Share

Severity by source

Vendor (microsoft) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CIRCL (temporal)
7.9 HIGH
cvss
Red Hat
9.1 CRITICAL
qualitative

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 20:51 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 20:00 euvd
EUVD-2026-24249
Analysis Generated
Apr 21, 2026 - 20:00 vuln.today
Patch released
Apr 21, 2026 - 20:00 nvd
Patch available
CVE Published
Apr 21, 2026 - 19:20 nvd
CRITICAL 9.1

DescriptionCVE.org

Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Cryptographic signature verification bypass in ASP.NET Core 10.0 enables remote unauthenticated attackers to forge authentication tokens and gain unauthorized access to protected resources. Tagged as a JWT attack involving authentication bypass, this vulnerability allows complete compromise of confidentiality and integrity without requiring any special conditions (AV:N/AC:L/PR:N/UI:N). Microsoft has released a security update addressing this flaw. No active exploitation confirmed in CISA KEV at time of analysis, though the authentication bypass nature and network-accessible attack surface present significant risk for widely deployed ASP.NET Core applications.

Technical ContextAI

ASP.NET Core 10.0 implements JSON Web Token (JWT) authentication for API authorization and identity verification. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature), indicating the framework fails to properly validate JWT signature integrity during token authentication. This allows attackers to manipulate or forge JWTs that bypass signature verification checks. The affected CPE (cpe:2.3:a:microsoft:asp.net_core_10.0) identifies Microsoft ASP.NET Core version 10.0 as the impacted platform. JWT attacks typically exploit weaknesses in algorithm selection (e.g., 'none' algorithm acceptance), key confusion, or insufficient signature validation logic, enabling token forgery without possessing the signing secret.

RemediationAI

Apply the security update released by Microsoft immediately per guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372. The vendor advisory specifies the exact patched version resolving the signature verification flaw. Organizations unable to patch immediately should implement compensating controls: restrict network access to ASP.NET Core APIs using firewall rules or VPN requirements to limit exposure to trusted networks only (trade-off: reduces accessibility for legitimate remote users), implement additional authentication layers such as API gateways with independent JWT validation (trade-off: increased latency and architectural complexity), or deploy Web Application Firewall rules to inspect and validate JWT structure and claims (trade-off: may require custom rule development and could introduce false positives). These mitigations reduce but do not eliminate risk; patching remains the definitive solution.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Vendor StatusVendor

Share

CVE-2026-40372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy