.NET July 2026 Security Updates: What They Mean for Your Duende Deployments
On July 14, 2026, Microsoft released the .NET July 2026 security updates, shipping .NET 10.0.10, 9.0.18, and 8.0.29. This is a big one: 17 security advisories in a single Patch Tuesday, covering the runtime, ASP.NET Core, and the SDK.
We've reviewed every advisory against our products. The short version: no Duende packages are affected, and no Duende patch releases are required. The fixes all live in the .NET runtime and shared framework, so you get them by updating your .NET installation. Here's what you need to know.
What Microsoft Fixed
The July updates address vulnerabilities across several areas. The ones most relevant to identity and access management workloads:
- XML encryption (EncryptedXml): five advisories (CVE-2026-47302, CVE-2026-47304, CVE-2026-50525, CVE-2026-50527, CVE-2026-50648) covering denial-of-service and a security feature bypass when processing crafted encrypted XML.
- TLS: a denial-of-service in TLS handshake processing (CVE-2026-50524) and an authorization bypass in
SslStream(CVE-2026-50528). - X.509 certificate parsing: a denial-of-service when parsing crafted certificates (CVE-2026-57108).
- HTTP/2: an out-of-memory denial-of-service (CVE-2026-50651).
- Negotiate authentication: two elevation-of-privilege issues in the ASP.NET Core Negotiate handler (CVE-2026-47300, CVE-2026-47303).
The remaining advisories cover SignalR stateful reconnect, the SMTP client, WPF XAML parsing, and the SDK container build process. The full list is in the dotnet/announcements repository.
How This Affects Duende Products
We checked every affected package against IdentityServer, BFF, and the rest of our library stack, including all supported release lines.
The good news: nothing changes in our packages. Unlike the Microsoft.BCL.Memory issue earlier this year, none of the vulnerable components are NuGet dependencies of our published packages. They are part of the .NET runtime and the ASP.NET Core shared framework, which your application picks up from the .NET installation on the machine. Updating your runtime updates the vulnerable code, with no package changes needed from us or from you.
A few areas deserve a closer look, so here's what we verified:
IdentityServer and XML encryption. IdentityServer 8.x uses EncryptedXml in its SAML support to decrypt SAML assertions. We reviewed the July fixes in detail against our code. The patched logic (transform validation and recursion depth limits in XML parsing) runs entirely in the shared framework, and our code builds on top of it rather than reimplementing it. Once your host runs .NET 10.0.10, IdentityServer's SAML processing is protected. IdentityServer 7.x does not include SAML support and doesn't use EncryptedXml at all.
TLS, X.509, and HTTP/2 fixes. If your IdentityServer host terminates TLS directly, all three apply to you. If you sit behind a reverse proxy or load balancer that terminates TLS, your exposure is smaller but not zero. The X.509 parsing fix matters either way: IdentityServer parses certificates from sources other than the TLS handshake, such as x5c headers in client assertions, JWKS documents, SAML metadata, and client certificates forwarded by your proxy in mTLS setups. The TLS fixes also cover outbound connections your host makes (backchannel calls, JWKS retrieval), and the HTTP/2 fix applies if the proxy-to-app hop uses HTTP/2, or if the proxy itself runs on .NET, as with YARP or Duende BFF. In every case the fix ships with the runtime, so updating your .NET installation (or your base container images) is what closes them.
Negotiate and SignalR advisories. These only apply if your own application uses Negotiate authentication with LDAP role retrieval, or SignalR with stateful reconnect. Duende products don't use either.
What Should You Do?
Update your .NET runtime. Install the July 2026 servicing release for the version you run:
| Runtime | Patched version |
|---|---|
| .NET 10 | 10.0.10 (SDK 10.0.302) |
| .NET 9 | 9.0.18 (SDK 9.0.316) |
| .NET 8 | 8.0.29 (SDK 8.0.129) |
Downloads and release notes are available on the .NET download pages.
Rebuild and redeploy your containers. If you deploy with Docker, update your mcr.microsoft.com/dotnet/aspnet base images to the July releases and rebuild. If you pin base images by digest (a good supply chain practice), update the pin to the digest of the patched image. If you use floating tags, make sure your build actually pulls the new image rather than reusing a cached layer.
Update your build agents. The SDK updates also fix a container image build tampering issue (CVE-2026-50526), so update the SDK on CI machines too, especially shared build servers.
That's it. No Duende package updates to install, no configuration changes, no workarounds.
A Note on Behavior Changes
The EncryptedXml fixes tighten what the parser accepts: CipherReference transforms are now restricted to a built-in allowlist, and deeply nested encrypted XML structures are rejected. Legitimate SAML traffic is unaffected, since standard SAML encryption uses none of the newly blocked constructs. Microsoft provides AppContext switches to restore the old behavior if you run into an edge case, but we recommend leaving the new defaults in place.
If you have questions about your specific deployment, reach out through the Duende support channels. And as always: keep your runtimes patched. Most of the fixes in this round protect you at the host level, below any application code.