Skip to main content

CoreWCF.Kafka CVE-2026-54775

MEDIUM
Uncaught Exception (CWE-248)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-m744-jhq9-ppw6
6.5
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Write access to a Kafka topic is required (PR:L); a single null record halts the endpoint permanently with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:48 vuln.today
Analysis Generated
Jun 19, 2026 - 21:48 vuln.today

DescriptionCVE.org

Impact

A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.

Preconditions

The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Only allow authenticated writes to a topic

AnalysisAI

Persistent denial-of-service in CoreWCF.Kafka allows any attacker with write access to a consumed Kafka topic to permanently halt message processing by publishing a single null-value (tombstone) record. Affected versions span all CoreWCF.Kafka releases below 1.8.1 and the 1.9.0 release prior to 1.9.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain write access to target Kafka topic
Delivery
Publish single null-value (tombstone) record
Exploit
CoreWCF.Kafka consume pump encounters null payload
Execution
Uncaught exception terminates consumer loop
Impact
Topic message processing halts permanently until manual restart

Vulnerability AssessmentAI

Exploitation The attacker must have produce/write permission on a specific Kafka topic that a CoreWCF.Kafka service is actively consuming. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 6.5) is well-calibrated and consistent with the described behavior: network-reachable, low complexity, no user interaction, but requiring at least low-privilege produce rights to the targeted topic (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to a Kafka broker - or operating against a broker that allows anonymous publishes - sends a single null-value tombstone record to the Kafka topic being consumed by a CoreWCF.Kafka service running a vulnerable version. The consume pump encounters the null payload and throws an uncaught exception (CWE-248), causing the consumer loop to exit without recovery. …
Remediation The primary remediation is to upgrade CoreWCF.Kafka to version 1.8.1 for deployments on the 1.x stable branch, or to version 1.9.1 for deployments on the 1.9.x branch, as confirmed by the vendor advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy