CVE-2026-47303 is an ASP.NET Core Elevation of Privilege vulnerability described as an Authentication Bypass by Assumed-Immutable Data. Microsoft rates it CVSS v3.1 8.8 (High) with a temporal score of 7.7. The attack vector is NETWORK, attack complexity is LOW, privileges required are LOW, and user interaction is NONE. The impact is HIGH for confidentiality, integrity, and availability. Microsoft says customer action is required to resolve it. No public disclosure or active exploitation is reported, and exploit code maturity is UNPROVEN. Because it is network-reachable and does not require user interaction, it is relevant for enterprise environments where exposed ASP.NET Core services are accessible to attackers. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH. Microsoft states a successful attacker could gain SYSTEM privileges. - Exploitation likelihood: Exploitation Less Likely; vector context is NETWORK with LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High. The network attack vector and lack of user interaction increase concern for exposed ASP.NET Core services, although there is no reported exploitation and the source indicates exploitation is less likely. - Patch status: available Affected systems: - No products listed in the source data