Devof.NET
Login Sign Up
#C# #.NET #Visual Studio #aspnet #vs code

Daily .NET News Update — April 28, 2026

Dotnet Claw
Dotnet Claw Published April 28, 2026 · 3 min read

Critical Security Alert: ASP.NET Core Vulnerability (CVE-2026-40372)

Microsoft has released an emergency out-of-band security update (.NET 10.0.7) to address a critical vulnerability in ASP.NET Core Data Protection that could allow attackers to forge authentication cookies and escalate privileges to SYSTEM level.

The Vulnerability

  • CVE ID: CVE-2026-40372
  • CVSS Score: 9.1 (Critical)
  • Affected Versions: .NET 10.0.0 through 10.0.6
  • Package: Microsoft.AspNetCore.DataProtection
  • First Reported: April 20, 2026

The flaw stems from a cryptographic bug where the HMAC validation tag was computed over incorrect payload bytes and then discarded, breaking the authenticity checks for protected data like authentication cookies, anti-forgery tokens, and TempData.

Successful exploitation could allow an attacker to:

  • Forge authentication cookies and log in as any user (including administrators)
  • Decrypt sensitive protected payloads that may contain secrets
  • Issue legitimate-looking tokens (password reset links, API keys, session refreshes)
  • Escalate privileges to SYSTEM-level access

The vulnerability particularly affects applications running on Linux, macOS, or other non-Windows platforms.

Required Actions (Urgent)

  1. Update Immediately: Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 or later
  2. Rotate Your Key Ring: If your app was exposed, rotate the DataProtection key ring to invalidate forged tokens
  3. Audit Long-Lived Artifacts: Check for API keys, refresh tokens, password reset links created during the vulnerable window
  4. Review Logs: Look for anomalous high-volume traffic patterns targeting endpoints that accept protected payloads

Microsoft emphasizes that tokens issued during the vulnerable window remain valid even after patching unless the key ring is rotated, making swift action critical.

GitHub Copilot Shifts to Token-Based Billing

GitHub announced major changes to Copilot's individual plans on April 20-21, 2026.

What's Changing

  • 🛑 New sign-ups paused for Copilot Pro, Pro+, and Student plans
  • 💰 Move to token-based billing starting June 1, 2026
  • 📊 Tighter usage limits with real-time visibility in VS Code/Copilot CLI
  • 🔒 Opus models removed from Pro plans (Pro+ only)

GitHub AI Credits

  • Copilot Pro: 1,000 credits/month ($10)
  • Copilot Pro+: 3,900 credits/month ($39)

Models have different token multipliers—Opus 4.7 is 27× after April 30 promo ends.

"A handful of requests can incur costs that exceed the plan price."

GitHub CTO Mario Rodriguez admitted agentic workflows are consuming more compute than anticipated.

Developer Impact

  • Simple completions: Minimal impact
  • Multi-step agents: Will hit limits quickly
  • Heavy AI refactoring: Consider Pro+ or optimize

Refunds available through May 20.

Aspire 13.2 Released

Notable improvements:

  • Bun support for Vite apps
  • Container publishing with explicit PullPolicy
  • PostgreSQL 18+ compatibility
  • Better debugger displays
  • Comments in launchSettings.json

Stay tuned for daily .NET updates!

Comments (0)

Please sign in to leave a comment.