On July 14, 2026, Microsoft disclosed CVE-2026-45646, a high-severity denial-of-service vulnerability in ASP.NET OData packages that can be triggered remotely by an unauthenticated attacker. The flaw carries a CVSS 3.1 score of 7.5 and affects applications using Microsoft.AspNet.OData prior to 7.8.0 or Microsoft.AspNetCore.OData prior to 9.5.0. Patching requires a NuGet package update and redeployment of affected services — not a Windows or .NET runtime update.

What Exactly Did Microsoft Disclose?

Microsoft's Security Response Center assigned the vulnerability CWE-770, "Allocation of Resources Without Limits or Throttling." In practical terms, a specially crafted request to an OData endpoint can consume excessive server resources — memory, CPU, or threads — without any effective cap, ultimately degrading or crashing the service. The vulnerability can be exploited over the network, requires no authentication or user interaction, and has low attack complexity. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms that an attacker can achieve a high availability impact without compromising confidentiality or integrity.

Microsoft has not publicly described the exact request pattern that triggers the flaw. The advisory establishes only that the vulnerability exists in the OData processing pipeline and can lead to resource exhaustion. This lack of detail makes it impossible to craft reliable network signatures, but the risk is clear: any internet-facing OData service built with affected packages is vulnerable until updated.

The Cybersecurity and Infrastructure Security Agency (CISA) rated the vulnerability as automatable in its initial stakeholder-specific categorization, meaning automated attacks are feasible. As of the July 14 disclosure, CISA had not recorded any observed exploitation, but the absence of known attacks should not delay remediation.

Which Applications Are Actually at Risk?

The affected packages are:

  • Microsoft.AspNet.OData versions 7.0.0 through anything earlier than 7.8.0 (used in traditional ASP.NET projects)
  • Microsoft.AspNetCore.OData versions 9.0.0 through anything earlier than 9.5.0 (used in ASP.NET Core projects)

These libraries are added to projects via NuGet. An application is vulnerable if it directly or transitively references a vulnerable version. This includes:

  • Legacy ASP.NET Web API services with OData endpoints
  • Modern ASP.NET Core minimal APIs or controllers using OData
  • Internal shared libraries that package OData functionality
  • Any third-party NuGet packages that themselves depend on affected OData libraries

A common mistake is to assume that updating the .NET runtime or installing July's Windows security updates will fix the problem. It will not. The fix is delivered exclusively through NuGet packages, and each affected application must be explicitly updated.

To identify vulnerable projects, developers can run the following command inside the solution or project directory:

dotnet list package --include-transitive

This output will show all direct and transitive dependencies. Look for entries like:

  • Microsoft.AspNet.OData with a version below 7.8.0
  • Microsoft.AspNetCore.OData with a version below 9.5.0

Also inspect .csproj files, Directory.Packages.props if using Central Package Management, and any packages.config files. For containers or self-contained deployments, scan the final build artifacts because the dependency may be embedded.

How to Apply the Fix

The patched packages — version 7.8.0 for AspNet.OData and 9.5.0 for AspNetCore.OData — are available on NuGet as of July 14, 2026. To upgrade:

  1. Update the package reference in your project file or via the NuGet CLI:
    shell dotnet add package Microsoft.AspNet.OData --version 7.8.0 dotnet add package Microsoft.AspNetCore.OData --version 9.5.0
    Or update the version numbers directly in the project XML.
  2. Rebuild the entire solution to ensure all dependent binaries are recompiled.
  3. Redeploy the application. For IIS-hosted apps, copy the updated files to the production directory and restart the application pool. For containers, rebuild images without caching the vulnerable layer, push the new image, and update the deployment to use the new tag or digest. For Azure App Service, CI/CD pipelines must rebuild and redeploy, and slot swap procedures should verify that the new slot runs the updated packages.

Self-contained deployments and single-file executables must be republished because the OData binaries are bundled into the output. Simply running dotnet publish again after updating the package reference is typically sufficient, but always verify the published output.

Why OS Patching Doesn't Protect You

CVE-2026-45646 is not a flaw in Windows or the .NET runtime. It resides in application code distributed as NuGet packages. When Microsoft releases monthly security updates for Windows, those updates rarely touch third-party library directories inside application folders, containers, or self-contained deployments.

This divergence often creates a false sense of security. A Windows Server administrator might fully patch all operating system components on the host, yet a vulnerable OData service running in a container or under IIS will remain vulnerable unless the application itself is updated. In DevOps environments, platform and application teams must coordinate: server patching solves one class of risk; redeploying rebuilt applications solves another.

What an Attack Could Look Like

Without a public proof-of-concept, defenders must reason from the CWE classification. Resource-exhaustion vulnerabilities in OData services often stem from query options that trigger expensive backend operations. For example:

  • Deep $expand directives that force the server to load large object graphs
  • Complex $filter expressions that translate into heavy database queries
  • Unbounded $top or $count on large data sets

An attacker might send a single HTTP request that causes the server to allocate memory or CPU in proportion to attacker-controlled parameters. Because exploitation requires no authentication, a small botnet could amplify the impact by sending many such requests simultaneously, overwhelming the service.

While Microsoft's advisory states that no confidentiality or integrity impact exists, a complete denial of service can still be catastrophic for business-critical APIs. An unavailable order-processing endpoint or public data service can cause direct financial and reputational damage.

What to Do Right Now

Immediate Mitigations

  1. Rate Limiting: Place internet-facing OData endpoints behind a rate limiter. Restrict the number of requests per client IP, per time window.
  2. Authentication: If feasible, require authentication for every OData endpoint. Even anonymous data services can often be fronted by a gateway that validates API keys or user credentials.
  3. Query Complexity Limits: Configure OData to limit $expand depth (e.g., MaxExpansionDepth), page size (PageSize), and overall query execution time. Sample ASP.NET Core startup code:
    csharp services.AddOData(options => options .Select().Filter().OrderBy().Expand().Count().SetMaxTop(100) .AddRouteComponents("odata", builder => { builder.Expand().MaxExpansionDepth(3); }));
  4. Timeout Everything: Ensure load balancers, reverse proxies, and the Kestrel/IIS server enforce upfront timeouts. For Kestrel, set KeepAliveTimeout and RequestTimeout appropriately.
  5. Monitor for Anomalies: Alert on sudden spikes in CPU, memory, or garbage collection pauses from application pools. Look for an unusual number of identical or structurally similar OData query URLs in access logs.

These measures reduce exposure while you test and deploy the patch, but they are not replacements for updating. An attacker who learns the exact trigger may be able to bypass rate limits with a single catastrophic request.

Testing the Upgrade

Because the patched packages are fresh releases, test thoroughly before rolling to production:

  • Verify that $metadata endpoints return correctly and that all entity types, functions, and actions are present.
  • Exercise common queries — filtering, ordering, pagination, expansions — against staging environments.
  • If your application uses API versioning, confirm that versioned OData routes still work.
  • Check custom query validators, model binders, or serialization settings for regressions.

For large organizations, coordinate the update across all affected microservices and internal packages. Use software bills of materials (SBOMs) or dependency scanning tools to find every project that references the vulnerable OData packages, including transitive references through internal libraries.

Outlook

Microsoft may release additional technical details or a detection guide as it monitors exploitation activity. Organizations should watch for any updates to the CVE page, particularly if CVE-2026-45646 is added to CISA's Known Exploited Vulnerabilities catalog. Security vendors may also publish signatures or detection rules once the attack vector becomes public.

In the longer term, this vulnerability highlights the need to treat SDK-level NuGet dependencies as critical attack surface. Regular SBOM audits, automated dependency updates, and integration of NuGet package scanning into CI/CD pipelines can catch such issues before they become emergency patching exercises.