CoreWCF CVE-2026-54774
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable SAML endpoint (AV:N), no auth needed because the bug bypasses auth (PR:N), high complexity due to required non-X.509 STS configuration and known key identifier (AC:H); impersonation yields C:H/I:H, no availability impact.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
When a service is configured to validate SAML tokens using a method other than X.509 certificate signing, the final signature verification is skipped.
Preconditions
The service is configured to authenticate using SAML tokens and an out of band token resolver (commonly the IssuerTokenResolver of IssuedTokenServiceCredential) holds a non-X.509 SecurityToken whose key identifier the attacker can reference in the assertion’s <KeyInfo> - for example a BinarySecretSecurityToken representing the symmetric proof key issued by a WS-Trust symmetric-key holder-of-key STS.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
AnalysisAI
SAML token signature bypass in CoreWCF (versions <1.8.1 and 1.9.0) allows remote attackers to forge authenticated SAML assertions when the service validates tokens via a non-X.509 signing method. The SamlSerializer silently skips the final SignatureValue verification step, enabling assertion tampering and authentication bypass against WS-Trust holder-of-key configurations using symmetric proof keys. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitable only when the CoreWCF service is configured to authenticate using SAML tokens AND the IssuerTokenResolver of IssuedTokenServiceCredential (or an equivalent out-of-band resolver) holds a non-X.509 SecurityToken - most commonly a BinarySecretSecurityToken representing a symmetric proof key from a WS-Trust symmetric-key holder-of-key STS. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N yields 7.4 (High), reflecting unauthenticated network attack with high confidentiality and integrity impact but elevated complexity because the target service must use a specific non-X.509 SAML configuration (e.g., WS-Trust symmetric proof keys via IssuedTokenServiceCredential). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reach to a CoreWCF SOAP endpoint configured for WS-Trust symmetric-key holder-of-key SAML authentication crafts a SAML assertion whose <KeyInfo> references a BinarySecretSecurityToken known to the service's IssuerTokenResolver. Because SamlSerializer skips the SignatureValue verification on the non-X.509 path, the forged assertion is accepted and the attacker impersonates an arbitrary subject, gaining the privileges of the spoofed identity. … |
| Remediation | Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 (for the 1.8.x branch) or 1.9.1 (for the 1.9.x branch) as published in GHSA-rpj7-hr7h-w6p9 (https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-rpj7-hr7h-w6p9). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems running CoreWCF, prioritizing applications handling authentication or sensitive transactions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rpj7-hr7h-w6p9