On April 21, 2026, Microsoft disclosed CVE-2026-40372, a high-severity vulnerability in the Microsoft.AspNetCore.DataProtection NuGet package. It allows attackers to execute an Elevation of Privilege attack by forging authentication cookies.
None of the Duende packages have a direct or transitive dependency on the Microsoft.AspNetCore.DataProtection NuGet package. However there are cases where you may be using that NuGet package as a dependency within your application.
The Vulnerability
CVE-2026-40372 is an Elevation of Privilege attack. It has a CVSS score of 9.1 (HIGH) due to the impact it can have on a running system. For full details, see Microsoft’s advisory GitHub Issue. It also includes instructions for checking if you are affected and how to update your codebase. There is some extra context from Microsoft in a related GitHub Issue.
How can an attacker use this vulnerability?
Microsoft has not documented the direct steps an attacker can use to take advantage of this vulnerability. This is common when disclosing vulnerabilities to protect users who have not been able to update their systems. CVE descriptions are also written in a generic way to describe what the vulnerability can allow a malicious actor to do.
When Data Protection unprotects data, it uses a Decrypt operation including a Message Authentication Code (MAC) verification. This is where the vulnerability can affect you: an attacker who knows what they are doing and given enough time, can issue repeated requests using a “padding oracle attack” to forge a valid Data Protected payload like an authentication cookie. This is due to a vulnerability in the CalculateAndValidateMac method.
After forging this cookie and gaining access to your web application, if the attacker then successfully refreshes their cookie, they will be issued a valid protected cookie from your application. From this moment onwards, their attack is persistent even after you’ve patched your code, unless you rotate your Data Protection keys to forcefully sign out everyone.
Determine if you are affected
Your first step is to determine if this affects you. The Microsoft advisory has a list of conditions to check.
Applications are likely not affected if they have a direct Microsoft.NET.Sdk.Web or a Microsoft.AspNetCore.App framework reference (the <Project Sdk="Microsoft.NET.Sdk.Web"> line at the top of a .csproj file), or even if they have a transitive reference. We do recommend reading Microsoft’s advisory GitHub Issue, as there are some cases with consuming net462 or netstandard2.0 binaries to consider.
The vast majority of Duende IdentityServer and BFF applications will likely not be affected because the Duende.IdentityServer NuGet package has a web framework reference, bringing it transitively into your application.
Manually checking your dependencies with dotnet nuget why
If you’re unsure if your codebase is using the Microsoft.AspNetCore.DataProtection NuGet package, you can run the dotnet nuget why command locally. For this NuGet package, run the command dotnet nuget why Microsoft.AspNetCore.DataProtection from a directory with a .NET Solution or .csproj file.
The command will output which project(s) have a direct or transitive dependency on that NuGet package. And if you do have a transitive reference, for example you’re using the Microsoft.AspNetCore.DataProtection.StackExchangeRedis or Microsoft.AspNetCore.DataProtection.EntityFrameworkCore packages the Microsoft advisory mentioned specifically, the command will list which NuGet packages you’re using that reference it.
Update only if you are affected
If you believe you are affected by this vulnerability, see Microsoft's GitHub announcement for mitigation steps.
You must update the Microsoft.AspNetCore.DataProtection NuGet package to 10.0.7 or later. You will also need to add code to your application to revoke all (or specific) Data Protection keys.
Keep in mind that revoking Data Protection keys has disruptive effects on your connected applications and users. Signing/validation keys in storage are encrypted using Data Protection. Revoking keys will likely mean signing keys need to be rotated as well. Some planning around announcing new keys is recommended.
Our recommendation is to:
- Only implement the fix if your web applications (including Duende IdentityServer and BFF) are affected.
- Rotate your Data Protection keys when someone potentially gained unauthorised access.
Future Steps: Implement an SBOM strategy
If you were unsure if you are using the Microsoft.AspNetCore.DataProtection NuGet package in any of your projects, now would be a good time to consider implementing an organization strategy for generating a Software Bill of Materials (SBOM) file from your code.
An SBOM allows you to track your dependencies across your applications, allowing you to look up what dependencies your applications have. The file can be generated by a build pipeline and tracked by internal software.
There are external tools you can use to generate an SBOM like sbom-tool from Microsoft, the Open Source tool cyclonedx-dotnet, or an Open Source GitHub Action gh-dotnet-generate-sbom. When you have a moment, feel free to research your options for generating the SBOM.
Thanks for stopping by!
We hope this post helped you on your identity and security journey. If you need a hand with implementation, our docs are always open. For everything else, come hang out with the team and other developers on GitHub.
If you want to get early access to new features and products while collaborating with experts in security and identity standards, join us in our Duende Product Insiders program. And if you prefer your tech content in video form, our YouTube channel is the place to be. Don't forget to like and subscribe!
Questions? Comments? Just want to say hi? Leave a comment below and let's start a conversation.