CVE-2026-40372
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
CVSS
9.1
Critical
EPSS
11.2%
p95
KEV
—
Exploit Today
29
0-100
Published: Apr 21, 2026 · Last modified: Jul 15, 2026 · CWE-347
11.2%EPSS · 30 days11.2%
2026-06-302026-07-16
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
- msrc.microsoft.comhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-40372
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2460224
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40372.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-4855810.0 CRI63.5%
KEV—69SimpleHelp Authentication Bypass Vulnerability16dCVE-2026-290009.1 CRI92.4%
——28pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.2dCVE-2026-33387.5 HIG51.8%
——16Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.2dCVE-2026-279629.1 CRI42.2%
——13Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.2dCVE-2026-15298.1 HIG36.6%
——11A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.2dCVE-2026-288029.8 CRI34.5%
——10Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.2d