Skip to main content

CoreWCF UnixDomainSocket CVE-2026-54776

MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-wjpq-6766-7f5j
4.4
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

UDS socket access requires a local low-privilege OS account (AV:L, PR:L); bypass impacts service data and operations at limited scope with no availability effect (C:L/I:L/A:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:49 vuln.today
Analysis Generated
Jun 19, 2026 - 21:49 vuln.today

DescriptionCVE.org

Impact

A CoreWCF service hosted on Unix Domain Sockets with the PosixIdentity client credential type (UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity) does not require the client to perform the application/unixposix stream upgrade before dispatching messages.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Restrict filesystem access to the UDS socket file using owner/group/mode (e.g. chmod 0660 plus a dedicated group) so that only the POSIX users who are already authorized to invoke the service can connect at all. This makes the missing-upgrade behaviour equivalent to the operating system’s filesystem permissions instead of relying on framing-layer identity checks. Avoid relying on ServiceSecurityContext.PrimaryIdentity for authorization decisions, or back it up with an authentication-required authorization policy that rejects anonymous principals.

AnalysisAI

Authentication bypass in CoreWCF.UnixDomainSocket (NuGet) allows local OS users to invoke service operations without completing the required POSIX identity security upgrade, rendering framing-layer identity checks ineffective. Services using UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and ClientCredentialType = PosixIdentity are affected - the server dispatches messages before the application/unixposix stream upgrade is performed, meaning the caller's identity resolves as anonymous or unintended. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege local OS account
Delivery
Discover or infer UDS socket file path
Exploit
Open socket without application/unixposix upgrade
Execution
Server dispatches message without identity check
Persist
Execute service operations as anonymous principal
Impact
Bypass POSIX identity authorization logic

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) The CoreWCF service must be explicitly configured with UnixDomainSocketBinding using Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity - this is a non-default configuration that must be deliberately set by the developer; (2) the attacker must be a local OS user with read/write filesystem access to the specific UDS socket file path at the time of connection - remote attackers cannot reach Unix Domain Sockets by design; (3) the service must perform downstream authorization decisions that rely on ServiceSecurityContext.PrimaryIdentity or otherwise trust the framing-layer identity resolution. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-provided CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N scoring 4.4 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with a low-privilege OS account and read/write access to the UDS socket file connects to the CoreWCF service endpoint and sends a well-formed service message without first completing the application/unixposix stream upgrade handshake. Because the server does not enforce upgrade completion before dispatch, the message is accepted and processed with the caller's identity resolved as anonymous or as an unintended principal. …
Remediation The primary fix is to upgrade the CoreWCF.UnixDomainSocket NuGet package to version 1.8.1 (for consumers on the 1.8.x stable track) or version 1.9.1 (for consumers on the 1.9.x line), as confirmed by the vendor advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-wjpq-6766-7f5j. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy