Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
4.8.0
Web app
Sign-in users
Web API
Protected web APIs (validating tokens)
Token cache serialization
In-memory caches
Description
Microsoft.AspNetCore.DataProtection has a new CVE-2026-40372. It is fixed in version 10.0.7, however, this library uses 10.0.0.
Reproduction steps
- Use the library as dependency in a project
- Build
NU1903: Warning As Error: Package 'Microsoft.AspNetCore.DataProtection' 10.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-9mv3-2cwr-p262
Error message
NU1903: Warning As Error: Package 'Microsoft.AspNetCore.DataProtection' 10.0.0 has a known high severity vulnerability, GHSA-9mv3-2cwr-p262
Id Web logs
No response
Relevant code snippets
Build something using this as dependency
Regression
No response
Expected behavior
No error
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
4.8.0
Web app
Sign-in users
Web API
Protected web APIs (validating tokens)
Token cache serialization
In-memory caches
Description
Microsoft.AspNetCore.DataProtectionhas a new CVE-2026-40372. It is fixed in version 10.0.7, however, this library uses 10.0.0.Reproduction steps
NU1903: Warning As Error: Package 'Microsoft.AspNetCore.DataProtection' 10.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-9mv3-2cwr-p262Error message
NU1903: Warning As Error: Package 'Microsoft.AspNetCore.DataProtection' 10.0.0 has a known high severity vulnerability, GHSA-9mv3-2cwr-p262
Id Web logs
No response
Relevant code snippets
Regression
No response
Expected behavior
No error