Skip to main content

CoreWCF CVE-2026-54779

MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-9jr3-rj99-8jq3
5.9
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
5.9 MEDIUM

AC:H reflects mandatory prior token capture; PR:N because the attacker presents a stolen credential without holding system privileges; I:H for full user impersonation; C:N as no data is directly disclosed by the replay itself.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:51 vuln.today
Analysis Generated
Jun 19, 2026 - 21:51 vuln.today

DescriptionCVE.org

Impact

When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Provide your own implementation of ITokenReplayCache with the correct behavior.

AnalysisAI

SAML token replay protection in CoreWCF.Primitives is silently inoperative when DetectReplayedTokens is explicitly enabled, allowing replay attacks to succeed against WCF services using SAML-based federated authentication. Affected versions of the NuGet package CoreWCF.Primitives include all releases before 1.8.1 and the 1.9.0 release prior to 1.9.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Capture valid SAML token via interception
Delivery
Identify CoreWCF endpoint with DetectReplayedTokens enabled
Exploit
Submit replayed token to service
Execution
Broken ITokenReplayCache accepts duplicate token
Impact
Obtain authenticated session as victim user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the targeted CoreWCF service explicitly enable DetectReplayedTokens in its security configuration - this is a non-default opt-in setting, so services without this configuration are not affected by this specific CVE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.9 Medium, with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, accurately reflects the key constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a passive network position or access to a compromised token store intercepts a valid SAML bearer token issued to a legitimate user authenticating to a CoreWCF service endpoint. The attacker replays the captured token to the same endpoint within its validity period; rather than being rejected by the ITokenReplayCache, the token is accepted as if it had never been seen. …
Remediation Vendor-released patches are available: upgrade CoreWCF.Primitives to version 1.8.1 if on the 1.8.x release train, or to version 1.9.1 if on the 1.9.x release train, via NuGet. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy