CoreWCF CVE-2026-54783
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-exploitable once an envelope is captured (AV:N), capture prerequisite raises AC:H, no privileges or interaction needed; full confidentiality and integrity impact via impersonation, no availability effect.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays setting on transport-security bindings does not mitigate the issue because the attack does not reuse the original timestamp - the fresh timestamp in the wsse:Security header is what the replay-detection logic inspects.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Ensure communication is protected by SSL/TLS to prevent capturing of signed SOAP envelope.
AnalysisAI
Authentication bypass via XML Signature Wrapping in CoreWCF allows attackers who capture a single signed SOAP envelope to replay arbitrary operations as the victim principal for the lifetime of the signing key. The flaw affects CoreWCF.Primitives versions below 1.8.1 and the 1.9.0 line below 1.9.1, defeating the DetectReplays mitigation because the attacker forges a fresh wsse:Security timestamp rather than reusing the original. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to first capture at least one signed SOAP envelope sent to a CoreWCF service that uses WS-Security endorsing or supporting signatures, typically achievable when transport-level TLS is not enforced or when SOAP traffic is exposed via plaintext logs/proxies. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (7.4 High) reflects the realistic prerequisite that an attacker must first capture a signed SOAP envelope, which raises attack complexity but requires no privileges or user interaction once obtained. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on a network path (or with access to plaintext SOAP logs) captures one signed SOAP envelope from a legitimate user calling a CoreWCF service. They then craft a new request that wraps the captured signed element while inserting a fresh wsse:Security timestamp, and submit it to the same endpoint. … |
| Remediation | Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 on the 1.8.x branch or to 1.9.1 on the 1.9.x branch per advisory GHSA-gqv6-pwcg-87r8 (https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-gqv6-pwcg-87r8). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify CoreWCF.Primitives deployments using versions below 1.8.1 or in the 1.9.0 line below 1.9.1; document SOAP endpoint exposure and transaction types. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gqv6-pwcg-87r8