CoreWCF.Kafka CVE-2026-54775
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Write access to a Kafka topic is required (PR:L); a single null record halts the endpoint permanently with no confidentiality or integrity impact.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Impact
A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.
Preconditions
The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Only allow authenticated writes to a topic
AnalysisAI
Persistent denial-of-service in CoreWCF.Kafka allows any attacker with write access to a consumed Kafka topic to permanently halt message processing by publishing a single null-value (tombstone) record. Affected versions span all CoreWCF.Kafka releases below 1.8.1 and the 1.9.0 release prior to 1.9.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have produce/write permission on a specific Kafka topic that a CoreWCF.Kafka service is actively consuming. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 6.5) is well-calibrated and consistent with the described behavior: network-reachable, low complexity, no user interaction, but requiring at least low-privilege produce rights to the targeted topic (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with write access to a Kafka broker - or operating against a broker that allows anonymous publishes - sends a single null-value tombstone record to the Kafka topic being consumed by a CoreWCF.Kafka service running a vulnerable version. The consume pump encounters the null payload and throws an uncaught exception (CWE-248), causing the consumer loop to exit without recovery. … |
| Remediation | The primary remediation is to upgrade CoreWCF.Kafka to version 1.8.1 for deployments on the 1.x stable branch, or to version 1.9.1 for deployments on the 1.9.x branch, as confirmed by the vendor advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-m744-jhq9-ppw6