Microsoft Ships Emergency .NET 10.0.7 Patch for ASP.NET Core Cookie Forgery Bug

Microsoft has shipped an out-of-band .NET 10.0.7 update to fix a critical privilege-escalation bug in ASP.NET Core’s Data Protection component. The flaw, tracked as CVE-2026-40372, scores 9.1 on CVSS and lets an unauthenticated attacker forge authentication cookies and antiforgery tokens — effectively logging in as anyone, including SYSTEM-level accounts, on affected web apps. As reported by BleepingComputer, the bug was a regression introduced in the 14 April Patch Tuesday release, and Microsoft pushed the emergency fix on 21 April.

The Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6 are vulnerable. That’s a problem for any Australian business running a web application built on .NET 10 — line-of-business portals, customer logins, internal admin tools, payroll systems, anything that uses Data Protection to encrypt cookies or tokens. Forged tokens can also outlive the patch, so credentials and sessions issued before patching may need to be invalidated, and the OAIC will treat any resulting unauthorised access as a notifiable matter under the Privacy Act.

Update to .NET 10.0.7 today, redeploy any ASP.NET Core apps that pin the affected NuGet versions, and rotate Data Protection keys after patching so attacker-forged tokens can’t be reused. If you’re not sure whether your business runs ASP.NET Core anywhere, ask your IT provider — line-of-business app vendors and internal dev teams often run it without anyone outside engineering knowing.

Need a hand checking your application stack and rotating keys after the patch? Our cybersecurity team can audit exposure and lock things down before someone else finds the gap.