Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable low-complexity bypass needing a pre-existing low-privilege account (PR:L, no UI), yielding full privilege elevation with high C/I/A in unchanged scope.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker bypass authentication controls by tampering with data the framework wrongly assumes to be immutable (CWE-302). Microsoft reported and patched the flaw; there is no public exploit identified at time of analysis and it is not on CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess valid low-privileged authenticated access to the target ASP.NET Core application, reflected by CVSS PR:L - this is not an unauthenticated attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8, High) indicates a network-reachable, low-complexity attack requiring the attacker to already hold low-level privileges (PR:L - an authenticated but unprivileged account) with no user interaction, yielding high confidentiality, integrity, and availability impact in an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege account on an ASP.NET Core application logs in normally, then manipulates an identity artifact (such as a claim or token value) that the framework assumes cannot be changed, and resubmits it to be accepted as a higher-privileged user. Because the attack is network-based and low-complexity with no user interaction, the request can be automated once the tamperable field is identified. … |
| Remediation | Apply the Microsoft-released update for the affected .NET channel - patch available per vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47303 - installing the latest servicing release for .NET 8.0, 9.0, or 10.0, and the corresponding Visual Studio 2022 17.12/17.14 or Visual Studio 2026 18.7 update on developer machines and build agents. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all production and development systems running ASP.NET Core on .NET 8.0, 9.0, or 10.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo
Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate
Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to c
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44354