CoreWCF UnixDomainSocket CVE-2026-54776
MEDIUMSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
UDS socket access requires a local low-privilege OS account (AV:L, PR:L); bypass impacts service data and operations at limited scope with no availability effect (C:L/I:L/A:N).
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
A CoreWCF service hosted on Unix Domain Sockets with the PosixIdentity client credential type (UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity) does not require the client to perform the application/unixposix stream upgrade before dispatching messages.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Restrict filesystem access to the UDS socket file using owner/group/mode (e.g. chmod 0660 plus a dedicated group) so that only the POSIX users who are already authorized to invoke the service can connect at all. This makes the missing-upgrade behaviour equivalent to the operating system’s filesystem permissions instead of relying on framing-layer identity checks. Avoid relying on ServiceSecurityContext.PrimaryIdentity for authorization decisions, or back it up with an authentication-required authorization policy that rejects anonymous principals.
AnalysisAI
Authentication bypass in CoreWCF.UnixDomainSocket (NuGet) allows local OS users to invoke service operations without completing the required POSIX identity security upgrade, rendering framing-layer identity checks ineffective. Services using UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and ClientCredentialType = PosixIdentity are affected - the server dispatches messages before the application/unixposix stream upgrade is performed, meaning the caller's identity resolves as anonymous or unintended. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) The CoreWCF service must be explicitly configured with UnixDomainSocketBinding using Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity - this is a non-default configuration that must be deliberately set by the developer; (2) the attacker must be a local OS user with read/write filesystem access to the specific UDS socket file path at the time of connection - remote attackers cannot reach Unix Domain Sockets by design; (3) the service must perform downstream authorization decisions that rely on ServiceSecurityContext.PrimaryIdentity or otherwise trust the framing-layer identity resolution. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N scoring 4.4 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with a low-privilege OS account and read/write access to the UDS socket file connects to the CoreWCF service endpoint and sends a well-formed service message without first completing the application/unixposix stream upgrade handshake. Because the server does not enforce upgrade completion before dispatch, the message is accepted and processed with the caller's identity resolved as anonymous or as an unintended principal. … |
| Remediation | The primary fix is to upgrade the CoreWCF.UnixDomainSocket NuGet package to version 1.8.1 (for consumers on the 1.8.x stable track) or version 1.9.1 (for consumers on the 1.9.x line), as confirmed by the vendor advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-wjpq-6766-7f5j. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wjpq-6766-7f5j