#cve-2026-40372

Field Note · May 1, 2026 · Colten Anderson

Patch CVE-2026-40372, then rotate the keys

The ASP.NET Core DataProtection fix stops new forged payloads. It does not clean up tokens your app may have issued while the vulnerable code was live.