Skip to main content

CoreWCF CVE-2026-54781

HIGH
Improper Authentication (CWE-287)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-48pq-2xq3-c2m4
7.4
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network-reachable WS-Federation endpoint (AV:N); no credentials needed beyond the assertion itself (PR:N); AC:H because attacker depends on a permissive trusted STS issuing a triggering assertion shape; full confidentiality and integrity impact via identity impersonation, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:30 vuln.today
Analysis Generated
Jun 19, 2026 - 21:30 vuln.today

DescriptionCVE.org

Impact

The relying application is given a ClaimsPrincipal for a subject whose authority over the assertion the sender never proved. There are two distinct exploit shapes:

  • Holder-of-key downgrade. An attacker who obtains a holder-of-key SAML assertion that was issued without KeyInfo (issuer bug, custom STS shape, or assertion captured from an interaction where KeyInfo was elided) can present it to the service and be authenticated as the assertion’s subject without producing the proof key the assertion’s confirmation method would normally require. The service’s reliance on holder-of-key for sensitive actions is bypassed.
  • Custom-method bypass. An attacker who can obtain or arrange the issuance of a SAML assertion bearing a non-standard confirmation method URI (a permissive STS that accepts arbitrary method strings, an experimental custom IDP, or an attacker-side construction that the issuer signs without validating the method field) can present the assertion and be authenticated. Per-method policies that an application or a binding-level policy expects the framework to enforce are silently bypassed.
Preconditions

The service is configured to accept SAML 1.1 tokens via federation. Typical bindings are WS2007FederationHttpBinding and WSFederationHttpBinding, or any custom binding using IssuedSecurityTokenParameters with a SAML 1.1 token type. The attacker has obtained at least one signed SAML 1.1 assertion of a shape that triggers the bypass.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

To exploit this issue, it's required that a trusted STS issues SAML assertions whose SubjectConfirmationMethod is not one of the SAML 1.1 trio, or is willing to issue holder-of-key assertions without KeyInfo. If no trusted STS is willing to issue SAML assertions meeting either of these criteria, then a service isn't vulnerable.

AnalysisAI

Authentication bypass in CoreWCF (SAML 1.1 federation) allows remote attackers to be authenticated as the subject of a signed SAML assertion without proving holder-of-key possession or without a standard SubjectConfirmation method being enforced. Affects CoreWCF.Primitives versions before 1.8.1 and 1.9.0 through 1.9.1 when services consume SAML 1.1 tokens via WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters bindings. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify CoreWCF federation endpoint accepting SAML 1.1
Delivery
Obtain signed assertion from permissive STS
Exploit
Present token to WS-Federation binding
Execution
Bypass HoK proof or custom-method policy
Persist
Receive ClaimsPrincipal as subject
Impact
Invoke sensitive service operations as impersonated identity

Vulnerability AssessmentAI

Exploitation The relying service must be a CoreWCF endpoint configured to accept SAML 1.1 tokens via federation, specifically through WS2007FederationHttpBinding, WSFederationHttpBinding, or a custom binding using IssuedSecurityTokenParameters with a SAML 1.1 token type. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (7.4 High) reflects the genuine prerequisite that the attacker first obtain or coerce issuance of a signed SAML 1.1 assertion in a vulnerable shape - that drives AC:H and explains why this is not a trivial drive-by. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a signed SAML 1.1 assertion from a permissive trusted STS - either captured from a legitimate interaction where KeyInfo was elided, or coerced from a custom IdP that signs assertions bearing an attacker-chosen SubjectConfirmationMethod URI. The attacker submits the assertion to a CoreWCF federation endpoint over WS-Federation, and CoreWCF returns a ClaimsPrincipal for the assertion's subject without demanding proof-of-possession (holder-of-key downgrade) or without enforcing the per-method policy the application expects (custom-method bypass). …
Remediation Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 on the 1.8.x line or to 1.9.1 on the 1.9.x line, per GHSA-48pq-2xq3-c2m4 (https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-48pq-2xq3-c2m4). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all CoreWCF.Primitives installations identifying versions before 1.8.1 and versions 1.9.0-1.9.1; enumerate services using WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy