Skip to main content

ASP.NET Core CVE-2026-47303

| EUVDEUVD-2026-44354 HIGH
Authentication Bypass by Assumed-Immutable Data (CWE-302)
2026-07-14 microsoft
8.8
CVSS 3.1 · Vendor: microsoft
Temporal: 7.7
Share

Severity by source

Vendor (microsoft) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.7 HIGH
cvss
vuln.today AI
8.8 HIGH

Network-reachable low-complexity bypass needing a pre-existing low-privilege account (PR:L, no UI), yielding full privilege elevation with high C/I/A in unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:10 vuln.today
CVE Published
Jul 14, 2026 - 18:45 nvd
HIGH 8.8

DescriptionCVE.org

Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker bypass authentication controls by tampering with data the framework wrongly assumes to be immutable (CWE-302). Microsoft reported and patched the flaw; there is no public exploit identified at time of analysis and it is not on CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Identify assumed-immutable identity data
Exploit
Tamper with token/claim value
Execution
Resubmit to bypass authentication
Impact
Elevate to higher privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess valid low-privileged authenticated access to the target ASP.NET Core application, reflected by CVSS PR:L - this is not an unauthenticated attack. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8, High) indicates a network-reachable, low-complexity attack requiring the attacker to already hold low-level privileges (PR:L - an authenticated but unprivileged account) with no user interaction, yielding high confidentiality, integrity, and availability impact in an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privilege account on an ASP.NET Core application logs in normally, then manipulates an identity artifact (such as a claim or token value) that the framework assumes cannot be changed, and resubmits it to be accepted as a higher-privileged user. Because the attack is network-based and low-complexity with no user interaction, the request can be automated once the tamperable field is identified. …
Remediation Apply the Microsoft-released update for the affected .NET channel - patch available per vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47303 - installing the latest servicing release for .NET 8.0, 9.0, or 10.0, and the corresponding Visual Studio 2022 17.12/17.14 or Visual Studio 2026 18.7 update on developer machines and build agents. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all production and development systems running ASP.NET Core on .NET 8.0, 9.0, or 10.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-57108 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or

CVE-2026-47302 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo

CVE-2026-56170 HIGH
7.5 Jul 14

Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate

CVE-2026-50524 HIGH
7.5 Jul 14

Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to c

Share

CVE-2026-47303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy