CoreWCF CVE-2026-54780
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Endpoint is network-reachable with no auth needed (AV:N/PR:N), but crafting a valid XMLDSig bypass demands specialized cryptographic knowledge (AC:H); only limited integrity impacted.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
CoreWCF’s WS-Security 1.0 receive pipeline validates the SignatureMethod of an incoming ds:SignedInfo against the configured SecurityAlgorithmSuite, but does not validate the DigestMethod declared on each ds:Reference. As a result, a sender can populate ds:SignedInfo with SignatureMethod values the suite accepts (for example rsa-sha256 under Basic256Sha256) while declaring a per-reference DigestMethod the suite rejects (for example http://www.w3.org/2000/09/xmldsig#sha1). The signature is then verified where it permits SHA-1 digests, and the message is accepted.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
AnalysisAI
WS-Security DigestMethod validation in CoreWCF's receive pipeline can be bypassed, allowing a remote sender to present XML Digital Signatures that use cryptographically weak per-reference hash algorithms (e.g., SHA-1) even when the configured SecurityAlgorithmSuite explicitly prohibits them. Affected are all CoreWCF.Primitives releases below v1.8.1 and the 1.9.0 release (pre-1.9.1). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a deployed CoreWCF service endpoint with WS-Security 1.0 message security enabled and a SecurityAlgorithmSuite configured that prohibits SHA-1 digests (e.g., Basic256Sha256, Basic256). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the bounded impact: only limited message integrity is affected, and the High attack complexity acknowledges the specialized XMLDSig crafting skill required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a CoreWCF service endpoint secured with a Basic256Sha256 SecurityAlgorithmSuite sends a crafted SOAP message whose ds:SignedInfo carries a policy-compliant SignatureMethod (rsa-sha256) but substitutes http://www.w3.org/2000/09/xmldsig#sha1 as the DigestMethod on each ds:Reference. CoreWCF validates the SignatureMethod, finds it acceptable, and verifies the SHA-1 digests without checking suite conformance - accepting the message as legitimately signed. … |
| Remediation | Upgrade CoreWCF.Primitives to v1.8.1 if consuming the 1.8.x branch, or to v1.9.1 if consuming the 1.9.x branch, as confirmed by the vendor advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-4v55-cpmv-3vcm. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4v55-cpmv-3vcm