CoreWCF CVE-2026-54782
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Network-reachable federated endpoint, no auth or interaction required, only public STS certificate needed; scope changes as forged token crosses into relying-party identity context; no availability impact.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
Full impersonation of any principal the trusted STS could have issued an assertion for - including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.
Preconditions
Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable).
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
AnalysisAI
Authentication bypass in CoreWCF (NuGet CoreWCF.Primitives) versions prior to 1.8.1 and 1.9.0-1.9.1 allows remote unauthenticated attackers to forge SAML 1.1 and SAML 2.0 assertions and impersonate any principal - including administrative identities - that the trusted STS could issue tokens for. The flaw stems from improper SAML token signature validation (CWE-290) in FederatedSecurityTokenManager, and only the trusted STS's public certificate (discoverable by design) is required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The relying-party CoreWCF service must be hosted using WSFederationHttpBinding, WS2007FederationHttpBinding, or any binding that engages FederatedSecurityTokenManager for issued-token validation, AND IdentityConfiguration must be wired with UseIdentityConfiguration = true. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is high for any deployment matching the precondition profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the internet (or an internal network) for CoreWCF relying-party services exposing a WS-Federation binding, obtains the trusted STS's public certificate (publicly discoverable by design via metadata), and crafts a SAML 1.1 or 2.0 assertion claiming to be a high-privilege principal such as an administrator. They submit the forged token to the relying-party endpoint, which fails to properly validate the signature and accepts the assertion, granting the attacker authenticated access as the impersonated principal with whatever roles the relying party maps from SAML claims. … |
| Remediation | Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 if you are on the 1.8.x branch, or to 1.9.1 if you are on the 1.9.x branch, per the GitHub Security Advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all applications using CoreWCF.Primitives NuGet package, prioritizing those running versions prior to 1.8.1 and versions 1.9.0-1.9.1 that validate SAML tokens. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xjr9-gg9q-jx3v