ASP.NET Core Security Feature Bypass Vulnerability
Description
ASP.NET Core Security Feature Bypass Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can bypass validation on ASP.NET Core Blazor Server forms, potentially triggering unintended actions in affected .NET versions.
Vulnerability
Overview
CVE-2023-36558 is a security feature bypass vulnerability in ASP.NET Core that specifically affects Blazor Server applications. The root cause lies in the validation mechanism for Blazor server forms, which can be circumvented by an unauthenticated attacker [1][2]. This bypass allows the attacker to trigger unintended actions within the application, effectively undermining the security feature intended to prevent unauthorized form submissions.
Exploitation
Conditions
Exploitation requires no authentication and no special privileges. The attacker only needs network access to a vulnerable Blazor Server application. The vulnerability is present in ASP.NET Core Blazor 6.0 (up to 6.0.24), 7.0 (up to 7.0.13), and 8.0 RC2 [1][2]. Other ASP.NET Core application types that do not use Blazor are not affected.
Impact
A successful attack could lead to unintended actions being performed on the server, such as data modification or unauthorized operations, depending on the application's logic. The advisory does not specify remote code execution or data exfiltration, but the bypass could enable further exploitation if combined with other weaknesses [1][2].
Mitigation
Microsoft has released patches for all affected versions: .NET 6.0.25, .NET 7.0.14, and .NET 8.0.0 [1][2]. Developers should update their applications to these patched versions immediately. No workarounds are provided, and the only mitigation is applying the update.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.ComponentsNuGet | >= 8.0.0-rc.2.23480.2, < 8.0.0 | 8.0.0 |
Microsoft.AspNetCore.ComponentsNuGet | >= 7.0.0, < 7.0.14 | 7.0.14 |
Microsoft.AspNetCore.ComponentsNuGet | >= 6.0.0, < 6.0.25 | 6.0.25 |
Affected products
44- osv-coords34 versionspkg:bitnami/aspnet-corepkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.componentspkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-runtime-7.0pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-7.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-apphost-pack-7.0pkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-hostfxr-7.0pkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-runtime-7.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-7.0pkg:rpm/almalinux/dotnet-sdk-7.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-targeting-pack-7.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/dotnet-templates-7.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 6.0.0, < 6.0.25+ 33 more
- (no CPE)range: >= 6.0.0, < 6.0.25
- (no CPE)range: >= 6.0.0, < 6.0.25
- (no CPE)range: >= 6.0.0, < 6.0.25
- (no CPE)range: >= 8.0.0-rc.2.23480.2, < 8.0.0
- (no CPE)range: < 6.0.25-1.el9_3
- (no CPE)range: < 7.0.14-1.el9_3
- (no CPE)range: < 8.0.0-2.el9_3
- (no CPE)range: < 6.0.25-1.el9_3
- (no CPE)range: < 7.0.14-1.el9_3
- (no CPE)range: < 8.0.0-2.el9_3
- (no CPE)range: < 8.0.100-2.el8_9
- (no CPE)range: < 6.0.25-1.el9_3
- (no CPE)range: < 7.0.14-1.el9_3
- (no CPE)range: < 8.0.0-2.el9_3
- (no CPE)range: < 8.0.0-2.el9_3
- (no CPE)range: < 6.0.25-1.el9_3
- (no CPE)range: < 7.0.14-1.el9_3
- (no CPE)range: < 8.0.0-2.el9_3
- (no CPE)range: < 6.0.25-1.el9_3
- (no CPE)range: < 7.0.14-1.el9_3
- (no CPE)range: < 8.0.0-2.el9_3
- (no CPE)range: < 6.0.125-1.el9_3
- (no CPE)range: < 6.0.125-1.el9_3
- (no CPE)range: < 7.0.114-1.el9_3
- (no CPE)range: < 7.0.114-1.el9_3
- (no CPE)range: < 8.0.100-2.el9_3
- (no CPE)range: < 8.0.100-2.el9_3
- (no CPE)range: < 6.0.25-1.el9_3
- (no CPE)range: < 7.0.14-1.el9_3
- (no CPE)range: < 8.0.0-2.el9_3
- (no CPE)range: < 6.0.125-1.el9_3
- (no CPE)range: < 7.0.114-1.el9_3
- (no CPE)range: < 8.0.100-2.el9_3
- (no CPE)range: < 8.0.100-2.el9_3
- Microsoft/ASP.NET Core 6.0v5Range: 6.0
- Microsoft/ASP.NET Core 7.0v5Range: 7.0.0
- Microsoft/ASP.NET Core 8.0v5Range: 8.0
- Microsoft/Microsoft Visual Studio 2022 version 17.2v5Range: 17.2.0
- Microsoft/Microsoft Visual Studio 2022 version 17.4v5Range: 17.4.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.7v5Range: 17.7.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 7.0v5Range: 7.0.0
- Microsoft/.NET 8.0v5Range: 8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3fx3-85r4-8j3wghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36558ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-36558ghsaADVISORY
- github.com/dotnet/announcements/issues/288ghsaWEB
- github.com/dotnet/runtime/security/advisories/GHSA-3fx3-85r4-8j3wghsaWEB
News mentions
0No linked articles in our index yet.