CoreWCF CVE-2026-54779
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AC:H reflects mandatory prior token capture; PR:N because the attacker presents a stolen credential without holding system privileges; I:H for full user impersonation; C:N as no data is directly disclosed by the replay itself.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Provide your own implementation of ITokenReplayCache with the correct behavior.
AnalysisAI
SAML token replay protection in CoreWCF.Primitives is silently inoperative when DetectReplayedTokens is explicitly enabled, allowing replay attacks to succeed against WCF services using SAML-based federated authentication. Affected versions of the NuGet package CoreWCF.Primitives include all releases before 1.8.1 and the 1.9.0 release prior to 1.9.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the targeted CoreWCF service explicitly enable DetectReplayedTokens in its security configuration - this is a non-default opt-in setting, so services without this configuration are not affected by this specific CVE. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.9 Medium, with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, accurately reflects the key constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a passive network position or access to a compromised token store intercepts a valid SAML bearer token issued to a legitimate user authenticating to a CoreWCF service endpoint. The attacker replays the captured token to the same endpoint within its validity period; rather than being rejected by the ITokenReplayCache, the token is accepted as if it had never been seen. … |
| Remediation | Vendor-released patches are available: upgrade CoreWCF.Primitives to version 1.8.1 if on the 1.8.x release train, or to version 1.9.1 if on the 1.9.x release train, via NuGet. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9jr3-rj99-8jq3