CVE-2026-47300: ASP.NET Core Privilege Flaw Lacks Patch Details

Microsoft published CVE-2026-47300 on July 14, identifying an elevation-of-privilege vulnerability in ASP.NET Core, but the initial Security Update Guide entry exposes little actionable technical detail beyond the product and impact category. Administrators should treat the advisory as a prompt to inventory ASP.NET Core deployments and watch for Microsoft’s corresponding .NET servicing guidance rather than infer an attack path from the title alone.
The entry appeared in the Microsoft Security Response Center’s July 14 release and was timestamped at 7:00 a.m. Pacific time. At publication, Microsoft’s public-facing material did not clearly establish the affected ASP.NET Core versions, patched builds, CVSS score, exploitation assessment, or whether attacks have been observed.
That missing information matters. Elevation of privilege can describe anything from an authenticated user crossing an application authorization boundary to a remote attacker acquiring a more powerful identity, and those scenarios produce radically different patching priorities.

Cybersecurity operations dashboard showing .NET deployment, Windows servers, identity controls, and vulnerability monitoring.The CVE Exists, but the Attack Story Is Still Thin​

The text accompanying CVE-2026-47300 describes how confidence in a vulnerability can range from an uncorroborated report to vendor confirmation. It is explanatory language for the advisory’s confidence or maturity metric, not a technical description of how this particular ASP.NET Core flaw works.
In practical terms, the CVE’s publication by MSRC confirms that Microsoft recognizes a security issue, but it does not tell defenders whether the underlying mistake involves ASP.NET Core Identity, authentication cookies, authorization middleware, Data Protection, Kestrel, SignalR, Blazor, or another framework component. It also does not establish whether exploitation requires valid credentials, special application configuration, local access, or network reachability.
Those distinctions should prevent administrators from jumping to conclusions based on earlier ASP.NET Core vulnerabilities. In April 2026, for example, Microsoft released .NET 10.0.7 out of band for CVE-2026-40372, a separate elevation-of-privilege flaw involving affected versions of Microsoft.AspNetCore.DataProtection. Microsoft’s .NET announcement explained that the earlier bug could permit forged authentication cookies under specific package, target-framework, and operating-system conditions.
There is currently no public basis for assuming CVE-2026-47300 is another Data Protection issue or shares CVE-2026-40372’s exposure conditions. Similar Microsoft vulnerability titles frequently cover unrelated code paths, prerequisites, and consequences.
The safest reading is therefore narrow: ASP.NET Core contains a newly disclosed privilege-escalation weakness, while the publicly available technical picture remains incomplete.

Patch the Runtime and the Application Supply Chain​

ASP.NET Core servicing is more complicated than applying a Windows cumulative update and rebooting. A vulnerable component may arrive through the machine-wide ASP.NET Core shared framework, the Windows Hosting Bundle used with IIS, a directly referenced NuGet package, a self-contained deployment, or a container image bundled into an application release.
That means Windows Update alone should not be considered proof that an ASP.NET Core service is protected. Development and operations teams need to identify how each application receives its runtime and framework components.
A useful first pass on Windows servers is:
Code:
dotnet --info
dotnet --list-runtimes
dotnet --list-sdks
The runtime inventory should be checked for entries under Microsoft.AspNetCore.App, not merely Microsoft.NETCore.App. IIS-hosted applications also warrant verification of the installed Hosting Bundle and ASP.NET Core Module because those installations have their own servicing and deployment considerations.
Applications published as self-contained carry their selected runtime with them. Installing a newer shared runtime on the server does not silently replace the runtime files inside those deployments; the application normally needs to be rebuilt and republished using a corrected servicing version.
Containers create a similar boundary. Updating the .NET runtime on a Docker or Windows container host does not update an existing application image. Teams must refresh the base-image reference, rebuild the image, run validation, and replace the deployed containers. Image digests should be checked rather than trusting a reused floating tag in a long-lived pipeline.
NuGet dependencies add another layer. Administrators working with the source tree can use commands such as:
dotnet list package --include-transitive
That inventory can reveal whether an ASP.NET Core component is referenced directly or pulled into the project transitively. Once Microsoft identifies the affected package or framework version for CVE-2026-47300, that output can be matched against the advisory rather than relying on application names or assumptions about the server’s installed runtime.

Version Numbers Must Come From This Advisory​

Microsoft’s June 2026 .NET servicing release delivered .NET 10.0.9, .NET 9.0.17, and .NET 8.0.28, according to the official .NET Blog. Those builds provide a useful baseline for identifying obviously stale systems, but they should not automatically be described as the fixes for CVE-2026-47300.
The vulnerability was published more than a month later, on July 14. Its actual corrected versions must be confirmed through Microsoft’s July servicing release notes, the MSRC affected-product table, or a dedicated .NET security announcement.
This chronology is especially important for automated compliance systems. A scanner may report that a host has an in-support .NET release while the application still carries an older self-contained runtime or affected NuGet assembly. Conversely, a generic CVE match may flag a server that has ASP.NET Core installed even if the vulnerable component is not loaded by any deployed application.
Microsoft currently supports .NET 10 as a long-term support release. .NET 8 and .NET 9 are also still serviced but are scheduled to reach end of support on November 10, 2026, as detailed by the .NET team in June. Organizations still operating production workloads on either branch should use this patch cycle to plan migration to .NET 10 rather than treating another servicing update as a substitute for lifecycle work.
Preview builds of .NET 11 should not be used as a production remediation path unless Microsoft explicitly documents them as affected and corrected. Production services belong on supported stable branches with a repeatable patch and redeployment process.

Defenders Should Watch Identity Boundaries, Not Just Servers​

Until Microsoft provides the attack prerequisites, monitoring should focus on the places where an ASP.NET Core application converts input into identity, authorization, or privileged actions. Relevant telemetry includes authentication failures, unusual role changes, administrative endpoint access, token issuance, password-reset operations, API-key creation, and unexpected changes to user claims.
Reverse-proxy, IIS, Kestrel, application, identity-provider, and database audit logs may each preserve different pieces of that chain. Security teams should retain July 14-era logs rather than wait for a proof of concept to establish what indicators would have been useful.
Internet-facing applications deserve the first review, followed by internal administrative portals and APIs that rely heavily on the assumption that network location equals trust. An elevation-of-privilege bug may be valuable even when it does not provide initial access, because attackers commonly use ordinary accounts, stolen sessions, or compromised service identities as their starting point.
Teams should also avoid emergency configuration changes based solely on speculation. Disabling authentication middleware, rotating every cryptographic key, or invalidating all sessions can disrupt production without addressing the vulnerable path. Those actions become appropriate only if Microsoft’s technical guidance links CVE-2026-47300 to the corresponding identity or cryptographic subsystem.
The immediate job is to establish ownership: identify every ASP.NET Core application, record its framework and package versions, classify its deployment model, and determine who can rebuild it. The decisive milestone will be Microsoft’s affected-version and fixed-version matrix, because for ASP.NET Core, installing a patch on the host and actually replacing the vulnerable application bits are often two different operations.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top