Skip to main content

.NET EUVDEUVD-2026-44396

| CVE-2026-50528 HIGH
Incorrect Authorization (CWE-863)
2026-07-14 microsoft
8.2
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
ENISA EUVD
HIGH
qualitative
vuln.today AI
8.2 HIGH

Network-reachable authorization bypass needing no auth or interaction (AV:N/AC:L/PR:N/UI:N); primary effect is an integrity/security-control bypass (I:H) with limited data exposure (C:L) and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:54 vuln.today
CVE Published
Jul 14, 2026 - 19:29 nvd
HIGH 8.2

DescriptionCVE.org

Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network.

AnalysisAI

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumvent an authorization control over the network due to incorrect authorization logic (CWE-863). Rated CVSS 8.2, the flaw carries a high integrity impact and requires no privileges or user interaction, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed .NET service
Delivery
Send crafted request to protected endpoint
Exploit
Trigger incorrect authorization check
Execution
Bypass security control
Impact
Access restricted function or data

Vulnerability AssessmentAI

Exploitation Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no special conditions are required beyond network reachability - remote unauthenticated exploitation is possible against affected .NET services with no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N, base 8.2) describes a genuinely low-barrier network attack: no authentication, no user interaction, and low attack complexity, with the primary damage being integrity (I:H) - consistent with bypassing an authorization/security control - plus limited confidentiality exposure (C:L) and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with only network access sends a crafted request to an internet-facing service running an affected .NET version, exploiting the incorrect authorization check to reach functionality or data that the security control was meant to protect. Because no authentication or user interaction is required and complexity is low, the request can succeed against a default-configured target; no public exploit is identified at time of analysis, so this remains a plausible but not yet demonstrated attack.
Remediation Patch available per vendor advisory - apply the Microsoft updates for the affected .NET runtime/SDK (8.0, 9.0, or 10.0) and, where applicable, update Visual Studio 2022 (17.12/17.14) and Visual Studio 2026 (18.7) to the fixed servicing releases, following the exact fixed versions listed at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50528. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, execute a comprehensive inventory of all servers, development systems, and CI/CD pipelines running .NET 8.0, 9.0, or 10.0, along with Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) installations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-57108 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or

CVE-2026-47302 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo

CVE-2026-56170 HIGH
7.5 Jul 14

Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate

CVE-2026-50524 HIGH
7.5 Jul 14

Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to c

Share

EUVD-2026-44396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy