Skip to main content

CoreWCF CVE-2026-54773

MEDIUM
Improper Verification of Cryptographic Signature (CWE-347)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-jc6x-rj79-w4mx
5.9
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
5.9 MEDIUM

AC:H reflects mandatory dual non-default prerequisites (endorsing token binding plus attacker-resolvable key); integrity-only impact because signature substitution bypasses authentication without exposing data.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:48 vuln.today
Analysis Generated
Jun 19, 2026 - 21:48 vuln.today

DescriptionCVE.org

Impact

An unauthenticated remote attacker who can place a SOAP header lexically before wsse:Security can embed a ds:Signature of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header.

Preconditions

Exploitation requires the endpoint be configured with an endorsing supporting token binding, and the attacker constructs a ds:Signature whose KeyInfo resolves through the receive-side token resolver to a key under the attacker’s control. Both are conditions outside the attacker’s direct control on a generic deployment.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Use a security token resolver that only accepts references to issuer-pinned X.509 chains (the default when expecting a static set of signing certificates).

AnalysisAI

Signature substitution in CoreWCF's WS-Security message processing allows a remote unauthenticated attacker to replace the server's cryptographic integrity check with a signature of the attacker's choosing, effectively forging authenticated SOAP messages. Affected versions of CoreWCF.Primitives perform a document-wide lookup for ds:Signature elements rather than scoping verification to the wsse:Security header, so an attacker-injected signature in a preceding SOAP header is found and verified first. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify CoreWCF endpoint using endorsing supporting token binding
Delivery
Obtain key accepted by server's token resolver
Exploit
Craft SOAP envelope with injected ds:Signature in pre-wsse:Security header
Execution
Transmit crafted request over network
Persist
Server document-wide lookup resolves attacker signature first
Impact
Forged message passes integrity verification

Vulnerability AssessmentAI

Exploitation Two specific server-side prerequisites - both outside the attacker's direct control - must be satisfied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) reflects accurate signal: network-reachable, no authentication required, but high attack complexity because two conditions outside the attacker's direct control must be true simultaneously. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a CoreWCF service that uses an endorsing supporting token binding obtains or generates a key pair that the server's token resolver will accept - for example, by exploiting a permissive trust store or by possessing a certificate issued by an accepted CA. The attacker crafts a SOAP envelope in which a synthetic header, placed before wsse:Security in document order, embeds a ds:Signature element signed with their private key. …
Remediation Upgrade CoreWCF.Primitives to v1.8.1 (for consumers on the 1.x stable branch) or v1.9.1 (for consumers on the 1.9.x branch), as confirmed by the GitHub Security Advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-jc6x-rj79-w4mx. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-54773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy