ASP.NET Core Bug Lets Attackers Forge Auth Cookies for SYSTEM Access

Microsoft pushed out-of-band security updates over the weekend to address a critical vulnerability in ASP.NET Core that allows unauthenticated attackers to forge authentication credentials and escalate to SYSTEM-level privileges on affected servers.

CVE-2026-40372 carries a CVSS score of 9.1 and affects the Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6. The flaw stems from a regression that breaks cryptographic signature validation, effectively letting attackers bypass authentication entirely.

What Went Wrong

According to Microsoft's advisory, the managed authenticated encryptor in affected versions "computes its HMAC validation tag over the wrong bytes of the payload and then discards the computed hash in some cases."

This is about as bad as cryptographic bugs get. The Data Protection system is designed to secure authentication cookies, antiforgery tokens, and other sensitive state data. When the HMAC validation fails silently, tampered payloads pass through as legitimate.

The vulnerability specifically impacts applications running on Linux, macOS, or other non-Windows operating systems. Windows deployments use a different code path that remains unaffected.

Attack Scenario

An attacker targeting a vulnerable ASP.NET Core application could craft forged authentication cookies that the server accepts as valid. From there, the path to SYSTEM privileges is straightforward—the attacker authenticates as any user, including administrative accounts.

The attack requires network access to the target application but no prior authentication. Combined with the low attack complexity, this puts any internet-facing ASP.NET Core application on a non-Windows host at immediate risk.

Security researchers at CyCognito noted the vulnerability "breaks the integrity guarantees that the Data Protection system is designed to enforce." Applications using the vulnerable package for session management, CSRF protection, or encrypted state storage are all affected.

Affected Deployments

The vulnerability impacts a specific but widely-deployed configuration:

• Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6
• Applications running on Linux, macOS, or non-Windows platforms
• Any application using the NuGet package directly or as a transitive dependency

Organizations running ASP.NET Core workloads in containers—which predominantly use Linux—should treat this as an emergency. The same applies to macOS development environments where authentication cookies generated locally could be forged.

This vulnerability adds to a growing list of authentication bypass issues affecting web frameworks this month. Authentication middleware continues to be a frequent source of critical vulnerabilities.

Remediation Steps

Microsoft recommends the following actions:

1. Upgrade immediately to Microsoft.AspNetCore.DataProtection version 10.0.7
2. Rotate your Data Protection key ring after upgrading to invalidate any tokens issued during the vulnerable window
3. Call RevokeAllKeys on IKeyManager to force all users to reauthenticate
4. Invalidate antiforgery tokens in circulation to prevent CSRF attacks using forged tokens

The key rotation step is critical. Simply patching without rotating keys leaves a window where attackers with captured tokens could still exploit the vulnerability.

Detection and Response

Organizations should review authentication logs for anomalies during the vulnerable window. Look for:

• Unusual privilege escalations or administrative actions
• Authentication events from unexpected geographic locations
• Session tokens with inconsistent metadata
• Antiforgery validation failures followed by successful requests

If you deployed a vulnerable version between when 10.0.0 released and when you applied the patch, assume compromise is possible. The cryptographic guarantees that should have protected your authentication system were not functioning.

Why This Matters

Cryptographic vulnerabilities in authentication systems represent some of the most severe flaws that can affect web applications. When signature validation fails, the entire trust model collapses—attackers can impersonate any user without stealing credentials.

The Microsoft ASP.NET team has historically maintained strong security practices, making this regression particularly notable. The fact that # nosec comments and security linter warnings can be suppressed highlights a broader pattern we've seen in AI/ML frameworks where security warnings get disabled rather than addressed.

This incident also demonstrates the risk of platform-specific code paths. The vulnerability only affects non-Windows platforms because the managed encryptor follows a different execution path. Cross-platform testing for security regressions clearly needs improvement.

For organizations running ASP.NET Core on Linux or macOS, this is a drop-everything-and-patch situation. The combination of unauthenticated access, SYSTEM-level privileges, and low attack complexity makes CVE-2026-40372 one of the more severe vulnerabilities we've covered on hacking news this month.