Skip to main content

CoreWCF CVE-2026-54782

CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-xjr9-gg9q-jx3v
10.0
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
10.0 CRITICAL

Network-reachable federated endpoint, no auth or interaction required, only public STS certificate needed; scope changes as forged token crosses into relying-party identity context; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:31 vuln.today
Analysis Generated
Jun 19, 2026 - 21:31 vuln.today

DescriptionCVE.org

Impact

Full impersonation of any principal the trusted STS could have issued an assertion for - including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.

Preconditions

Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable).

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

AnalysisAI

Authentication bypass in CoreWCF (NuGet CoreWCF.Primitives) versions prior to 1.8.1 and 1.9.0-1.9.1 allows remote unauthenticated attackers to forge SAML 1.1 and SAML 2.0 assertions and impersonate any principal - including administrative identities - that the trusted STS could issue tokens for. The flaw stems from improper SAML token signature validation (CWE-290) in FederatedSecurityTokenManager, and only the trusted STS's public certificate (discoverable by design) is required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify CoreWCF service with WS-Federation binding
Delivery
Retrieve trusted STS public certificate from metadata
Exploit
Craft forged SAML 1.1/2.0 assertion with admin claims
Execution
Submit token to relying-party endpoint
Persist
Bypass signature validation in FederatedSecurityTokenManager
Impact
Gain impersonated session as administrative principal

Vulnerability AssessmentAI

Exploitation The relying-party CoreWCF service must be hosted using WSFederationHttpBinding, WS2007FederationHttpBinding, or any binding that engages FederatedSecurityTokenManager for issued-token validation, AND IdentityConfiguration must be wired with UseIdentityConfiguration = true. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is high for any deployment matching the precondition profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet (or an internal network) for CoreWCF relying-party services exposing a WS-Federation binding, obtains the trusted STS's public certificate (publicly discoverable by design via metadata), and crafts a SAML 1.1 or 2.0 assertion claiming to be a high-privilege principal such as an administrator. They submit the forged token to the relying-party endpoint, which fails to properly validate the signature and accepts the assertion, granting the attacker authenticated access as the impersonated principal with whatever roles the relying party maps from SAML claims. …
Remediation Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 if you are on the 1.8.x branch, or to 1.9.1 if you are on the 1.9.x branch, per the GitHub Security Advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all applications using CoreWCF.Primitives NuGet package, prioritizing those running versions prior to 1.8.1 and versions 1.9.0-1.9.1 that validate SAML tokens. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy