CoreWCF CVE-2026-54781
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable WS-Federation endpoint (AV:N); no credentials needed beyond the assertion itself (PR:N); AC:H because attacker depends on a permissive trusted STS issuing a triggering assertion shape; full confidentiality and integrity impact via identity impersonation, no availability impact.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
The relying application is given a ClaimsPrincipal for a subject whose authority over the assertion the sender never proved. There are two distinct exploit shapes:
- Holder-of-key downgrade. An attacker who obtains a holder-of-key SAML assertion that was issued without KeyInfo (issuer bug, custom STS shape, or assertion captured from an interaction where KeyInfo was elided) can present it to the service and be authenticated as the assertion’s subject without producing the proof key the assertion’s confirmation method would normally require. The service’s reliance on holder-of-key for sensitive actions is bypassed.
- Custom-method bypass. An attacker who can obtain or arrange the issuance of a SAML assertion bearing a non-standard confirmation method URI (a permissive STS that accepts arbitrary method strings, an experimental custom IDP, or an attacker-side construction that the issuer signs without validating the method field) can present the assertion and be authenticated. Per-method policies that an application or a binding-level policy expects the framework to enforce are silently bypassed.
Preconditions
The service is configured to accept SAML 1.1 tokens via federation. Typical bindings are WS2007FederationHttpBinding and WSFederationHttpBinding, or any custom binding using IssuedSecurityTokenParameters with a SAML 1.1 token type. The attacker has obtained at least one signed SAML 1.1 assertion of a shape that triggers the bypass.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
To exploit this issue, it's required that a trusted STS issues SAML assertions whose SubjectConfirmationMethod is not one of the SAML 1.1 trio, or is willing to issue holder-of-key assertions without KeyInfo. If no trusted STS is willing to issue SAML assertions meeting either of these criteria, then a service isn't vulnerable.
AnalysisAI
Authentication bypass in CoreWCF (SAML 1.1 federation) allows remote attackers to be authenticated as the subject of a signed SAML assertion without proving holder-of-key possession or without a standard SubjectConfirmation method being enforced. Affects CoreWCF.Primitives versions before 1.8.1 and 1.9.0 through 1.9.1 when services consume SAML 1.1 tokens via WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters bindings. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The relying service must be a CoreWCF endpoint configured to accept SAML 1.1 tokens via federation, specifically through WS2007FederationHttpBinding, WSFederationHttpBinding, or a custom binding using IssuedSecurityTokenParameters with a SAML 1.1 token type. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (7.4 High) reflects the genuine prerequisite that the attacker first obtain or coerce issuance of a signed SAML 1.1 assertion in a vulnerable shape - that drives AC:H and explains why this is not a trivial drive-by. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains a signed SAML 1.1 assertion from a permissive trusted STS - either captured from a legitimate interaction where KeyInfo was elided, or coerced from a custom IdP that signs assertions bearing an attacker-chosen SubjectConfirmationMethod URI. The attacker submits the assertion to a CoreWCF federation endpoint over WS-Federation, and CoreWCF returns a ClaimsPrincipal for the assertion's subject without demanding proof-of-possession (holder-of-key downgrade) or without enforcing the per-method policy the application expects (custom-method bypass). … |
| Remediation | Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 on the 1.8.x line or to 1.9.1 on the 1.9.x line, per GHSA-48pq-2xq3-c2m4 (https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-48pq-2xq3-c2m4). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all CoreWCF.Primitives installations identifying versions before 1.8.1 and versions 1.9.0-1.9.1; enumerate services using WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-48pq-2xq3-c2m4