Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Network-reachable authorization bypass needing no auth or interaction (AV:N/AC:L/PR:N/UI:N); primary effect is an integrity/security-control bypass (I:H) with limited data exposure (C:L) and no availability impact.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network.
AnalysisAI
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumvent an authorization control over the network due to incorrect authorization logic (CWE-863). Rated CVSS 8.2, the flaw carries a high integrity impact and requires no privileges or user interaction, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no special conditions are required beyond network reachability - remote unauthenticated exploitation is possible against affected .NET services with no user interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N, base 8.2) describes a genuinely low-barrier network attack: no authentication, no user interaction, and low attack complexity, with the primary damage being integrity (I:H) - consistent with bypassing an authorization/security control - plus limited confidentiality exposure (C:L) and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with only network access sends a crafted request to an internet-facing service running an affected .NET version, exploiting the incorrect authorization check to reach functionality or data that the security control was meant to protect. Because no authentication or user interaction is required and complexity is low, the request can succeed against a default-configured target; no public exploit is identified at time of analysis, so this remains a plausible but not yet demonstrated attack. |
| Remediation | Patch available per vendor advisory - apply the Microsoft updates for the affected .NET runtime/SDK (8.0, 9.0, or 10.0) and, where applicable, update Visual Studio 2022 (17.12/17.14) and Visual Studio 2026 (18.7) to the fixed servicing releases, following the exact fixed versions listed at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50528. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, execute a comprehensive inventory of all servers, development systems, and CI/CD pipelines running .NET 8.0, 9.0, or 10.0, along with Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) installations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo
Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate
Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to c
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44396