AspNetCore.DataProtection – Privilege Escalation

Summary

We are aware of the recent security advisories around CVE-2026-40372 which impacts the Microsoft.AspNetCore.DataProtection.* NuGet packages (10.0.0-10.0.6). This is a vulnerability which allows for padding attacks against impacted systems, this is a non-trivial attack vector which requires network access to impacted systems for an extended period of time.

We have carried out a review of our systems and found that this does not impact the VQCM instance as we do not load or use a NuGet Microsoft.AspNetCore.DataProtection.* at runtime. However out of an abundance of caution and to ensure we continue to meet high levels of security and transparency we have made available a patch playbook. This will replace the Identity Server image on the VQCM, which handles authentication and token generation for user sessions. Once the playbook has been run users will need to shut down any open browsers sessions to the VQCM instance and log back in. If you experience issues logging in we suggest clearing your browser history and using a new private browsing session to avoid issues with session caching.