ASP.NET Core CVE-2026-40372: Out-of-Band Patch for Critical Cookie Forgery Flaw — Rotate Your Data Protection Keys
Introduction
Microsoft has released an out-of-band update to .NET 10.0.7 to fix CVE-2026-40372, a critical cryptographic flaw in the Microsoft.AspNetCore.DataProtection NuGet package. The bug — rated CVSS 9.1 and introduced as a regression in the April Patch Tuesday 10.0.6 release — lets an attacker forge authentication cookies, anti-forgery tokens, OIDC state, and TempData payloads, and even decrypt protected payloads the application previously issued. Simply upgrading to 10.0.7 is not enough; the Data Protection key ring must be rotated to invalidate any tokens an attacker may already hold.
What Happened
ASP.NET Core Data Protection is the subsystem that protects cookies, anti-forgery tokens, session state, password reset links, and a range of other short-lived crypto payloads used by .NET web apps. In versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, the managed authenticated encryptor (ManagedAuthenticatedEncryptor) computed its HMAC validation tag over the wrong bytes of the payload, then discarded the resulting hash. The practical consequence: the library would validate and trust payloads whose HMAC was effectively zero, allowing an attacker to forge their own.
Microsoft's advisory is blunt about the impact. An attacker who forged a privileged authentication cookie during the vulnerable window could cause the application to issue its own legitimately signed tokens — session refresh tokens, API keys, password reset links — to themselves. Those tokens stay valid after upgrading to 10.0.7 unless the Data Protection key ring is rotated.
The advisory likens the bug's capability to MS10-070, the 2010 ASP.NET padding-oracle vulnerability that caused widespread panic. CWE-347 (Improper Verification of Cryptographic Signature) is the categorization.
The regression was introduced as part of the April Patch Tuesday 10.0.6 release on April 14. A few days later, customers reported decryption failures; while investigating, Microsoft determined that the same regression opened the forgery window. The out-of-band .NET 10.0.7 release landed on April 21 to remediate both the failed-decryption bug and the security flaw.
Only .NET 10 is affected. The defective code path was introduced during 10.0 development and was never backported to 8.0 or 9.0 servicing branches. On Windows the default behavior uses Windows CNG/DPAPI and is only affected when the developer explicitly opted into managed algorithms via UseCustomCryptographicAlgorithms. On Linux, macOS, and other non-Windows platforms, the managed encryptor is the default — meaning almost every containerized ASP.NET Core 10 service shipped in the last week is in scope.
Why It Matters
Data Protection failures are among the worst kinds of cryptographic bugs because they break trust across an entire authentication surface at once. Cookies, tokens, and anti-forgery values all rely on the same Data Protection system. A working forgery primitive lets an attacker masquerade as any user — including administrators — and persist that access through "legitimately signed" long-lived credentials that survive the patch.
Because the vulnerable window was short (April 14–21) and many teams deploy quickly, the practical question is not "is the code patched?" but "did any attacker mint persistent tokens against us during that week?" Anyone running ASP.NET Core 10 on Linux/containers, or on Windows with UseCustomCryptographicAlgorithms, must answer that by rotating keys and invalidating outstanding tokens.
Who Is Affected
- Any ASP.NET Core 10 application on .NET 10.0.0 through 10.0.6
- All Linux and macOS deployments (managed encryptor is the default)
- Windows deployments that opted into
UseCustomCryptographicAlgorithms - Applications exposed to the internet during the April 14–21 window, where forgery attempts are most likely
- Downstream consumers of issued tokens (API keys, refresh tokens, password reset links) that were generated during the vulnerable window
How to Protect Yourself
Step 1: Update the package and runtime.
dotnet --info # confirm current version
dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7
dotnet restore
dotnet build
For container deployments, rebuild with the new base image:
FROM mcr.microsoft.com/dotnet/aspnet:10.0.7
Check all resolved versions across your solution:
dotnet list package --include-transitive | grep -i dataprotection
Step 2: Rotate the Data Protection key ring.
This is the step many teams will skip. Do not skip it.
If you store keys on the filesystem, identify the location:
# Default locations:
# Linux: ~/.aspnet/DataProtection-Keys/
# Windows: %LOCALAPPDATA%\ASP.NET\DataProtection-Keys\
ls -la ~/.aspnet/DataProtection-Keys/
Configure explicit key rotation in Program.cs:
builder.Services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo("/var/keys"))
.SetApplicationName("YourApp")
.SetDefaultKeyLifetime(TimeSpan.FromDays(90));
To force a new key immediately, delete or archive old key XML files and restart the application:
mkdir ~/.aspnet/DataProtection-Keys.archived
mv ~/.aspnet/DataProtection-Keys/*.xml ~/.aspnet/DataProtection-Keys.archived/
systemctl restart your-aspnet-service
If you persist keys to Azure Key Vault, Redis, or SQL, invalidate or delete the existing keys in that store so the app is forced to generate fresh ones.
Step 3: Invalidate outstanding tokens.
- Authentication cookies: Set a new cookie name or force cookie expiration app-wide.
- Refresh tokens / API keys issued during the window: Expire them in your database.
- Password reset links issued during the window: Invalidate them and have users request new ones.
- Anti-forgery tokens: These are tied to the key ring and will be invalid after rotation — users may see one-time failures on active sessions.
Step 4: Hunt for possible abuse. Review authentication and admin audit logs for the April 14–21 window:
SELECT user_id, event_type, ip_address, user_agent, created_at
FROM auth_events
WHERE created_at BETWEEN '2026-04-14' AND '2026-04-22'
AND event_type IN ('login_success', 'token_issued', 'password_reset', 'api_key_created')
ORDER BY created_at;
Look for privileged accounts with unusual source IPs, new device fingerprints, or unexplained API key creations.
Step 5: Harden for the future. Move Data Protection keys to a managed store (Azure Key Vault, AWS KMS, HashiCorp Vault) and enable automatic rotation. Monitor the Microsoft.AspNetCore.DataProtection.KeyManagement logs for unexpected key creation or usage events.