Skip to main content

CoreWCF CVE-2026-54780

LOW
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-4v55-cpmv-3vcm
3.7
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.7 LOW

Endpoint is network-reachable with no auth needed (AV:N/PR:N), but crafting a valid XMLDSig bypass demands specialized cryptographic knowledge (AC:H); only limited integrity impacted.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:52 vuln.today
Analysis Generated
Jun 19, 2026 - 21:52 vuln.today

DescriptionCVE.org

Impact

CoreWCF’s WS-Security 1.0 receive pipeline validates the SignatureMethod of an incoming ds:SignedInfo against the configured SecurityAlgorithmSuite, but does not validate the DigestMethod declared on each ds:Reference. As a result, a sender can populate ds:SignedInfo with SignatureMethod values the suite accepts (for example rsa-sha256 under Basic256Sha256) while declaring a per-reference DigestMethod the suite rejects (for example http://www.w3.org/2000/09/xmldsig#sha1). The signature is then verified where it permits SHA-1 digests, and the message is accepted.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

AnalysisAI

WS-Security DigestMethod validation in CoreWCF's receive pipeline can be bypassed, allowing a remote sender to present XML Digital Signatures that use cryptographically weak per-reference hash algorithms (e.g., SHA-1) even when the configured SecurityAlgorithmSuite explicitly prohibits them. Affected are all CoreWCF.Primitives releases below v1.8.1 and the 1.9.0 release (pre-1.9.1). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable CoreWCF WS-Security endpoint
Delivery
Craft SOAP ds:SignedInfo with compliant SignatureMethod
Exploit
Embed SHA-1 DigestMethod on each ds:Reference
Execution
Submit message to endpoint
Persist
CoreWCF validates SignatureMethod only
Impact
Service accepts cryptographically weakened message as policy-compliant

Vulnerability AssessmentAI

Exploitation Exploitation requires a deployed CoreWCF service endpoint with WS-Security 1.0 message security enabled and a SecurityAlgorithmSuite configured that prohibits SHA-1 digests (e.g., Basic256Sha256, Basic256). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the bounded impact: only limited message integrity is affected, and the High attack complexity acknowledges the specialized XMLDSig crafting skill required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a CoreWCF service endpoint secured with a Basic256Sha256 SecurityAlgorithmSuite sends a crafted SOAP message whose ds:SignedInfo carries a policy-compliant SignatureMethod (rsa-sha256) but substitutes http://www.w3.org/2000/09/xmldsig#sha1 as the DigestMethod on each ds:Reference. CoreWCF validates the SignatureMethod, finds it acceptable, and verifies the SHA-1 digests without checking suite conformance - accepting the message as legitimately signed. …
Remediation Upgrade CoreWCF.Primitives to v1.8.1 if consuming the 1.8.x branch, or to v1.9.1 if consuming the 1.9.x branch, as confirmed by the vendor advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-4v55-cpmv-3vcm. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy