Skip to main content

CoreWCF CVE-2026-54774

HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-rpj7-hr7h-w6p9
7.4
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network-reachable SAML endpoint (AV:N), no auth needed because the bug bypasses auth (PR:N), high complexity due to required non-X.509 STS configuration and known key identifier (AC:H); impersonation yields C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:30 vuln.today
Analysis Generated
Jun 19, 2026 - 21:30 vuln.today

DescriptionCVE.org

Impact

When a service is configured to validate SAML tokens using a method other than X.509 certificate signing, the final signature verification is skipped.

Preconditions

The service is configured to authenticate using SAML tokens and an out of band token resolver (commonly the IssuerTokenResolver of IssuedTokenServiceCredential) holds a non-X.509 SecurityToken whose key identifier the attacker can reference in the assertion’s <KeyInfo> - for example a BinarySecretSecurityToken representing the symmetric proof key issued by a WS-Trust symmetric-key holder-of-key STS.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

AnalysisAI

SAML token signature bypass in CoreWCF (versions <1.8.1 and 1.9.0) allows remote attackers to forge authenticated SAML assertions when the service validates tokens via a non-X.509 signing method. The SamlSerializer silently skips the final SignatureValue verification step, enabling assertion tampering and authentication bypass against WS-Trust holder-of-key configurations using symmetric proof keys. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify CoreWCF endpoint with SAML auth
Delivery
Fingerprint non-X.509 IssuerTokenResolver configuration
Exploit
Reference resolvable key identifier in crafted assertion <KeyInfo>
Install
Submit SAML token with forged SignatureValue
C2
SamlSerializer skips signature check
Execute
Service accepts assertion as authenticated
Impact
Impersonate target subject and access protected operations

Vulnerability AssessmentAI

Exploitation Exploitable only when the CoreWCF service is configured to authenticate using SAML tokens AND the IssuerTokenResolver of IssuedTokenServiceCredential (or an equivalent out-of-band resolver) holds a non-X.509 SecurityToken - most commonly a BinarySecretSecurityToken representing a symmetric proof key from a WS-Trust symmetric-key holder-of-key STS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N yields 7.4 (High), reflecting unauthenticated network attack with high confidentiality and integrity impact but elevated complexity because the target service must use a specific non-X.509 SAML configuration (e.g., WS-Trust symmetric proof keys via IssuedTokenServiceCredential). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to a CoreWCF SOAP endpoint configured for WS-Trust symmetric-key holder-of-key SAML authentication crafts a SAML assertion whose <KeyInfo> references a BinarySecretSecurityToken known to the service's IssuerTokenResolver. Because SamlSerializer skips the SignatureValue verification on the non-X.509 path, the forged assertion is accepted and the attacker impersonates an arbitrary subject, gaining the privileges of the spoofed identity. …
Remediation Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 (for the 1.8.x branch) or 1.9.1 (for the 1.9.x branch) as published in GHSA-rpj7-hr7h-w6p9 (https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-rpj7-hr7h-w6p9). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running CoreWCF, prioritizing applications handling authentication or sensitive transactions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy