CVE-2026-45646 asp.net core odata vulnerability
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Quick answer
microsoft asp.net core odata should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Review vendor advisory for affected versions.
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CVE-2026-45646 affects ASP.NET Core OData. The issue can let remote traffic consume too many resources and cause a denial of service. Update the package and add request limits.
- Update ASP.NET Core OData and related ASP.NET packages to versions that fix CVE-2026-45646.
- Add limits for query depth, expansion, filtering, page size, and request body size.
- Put rate limits in front of public OData endpoints.
- Monitor CPU, memory, and slow requests for OData routes.
- Deploy the fix first to public APIs and services with anonymous access.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the deployed package version is patched.
- Run safe load tests against OData endpoints and confirm heavy queries are blocked or limited.
- Run a fresh vulnerability scan and confirm the CVE is cleared.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-45646?
microsoft asp.net core odata should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
