Skip to main content

CoreWCF CVE-2026-54783

HIGH
Authentication Bypass by Capture-replay (CWE-294)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-gqv6-pwcg-87r8
7.4
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network-exploitable once an envelope is captured (AV:N), capture prerequisite raises AC:H, no privileges or interaction needed; full confidentiality and integrity impact via impersonation, no availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:32 vuln.today
Analysis Generated
Jun 19, 2026 - 21:32 vuln.today

DescriptionCVE.org

Impact

The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays setting on transport-security bindings does not mitigate the issue because the attack does not reuse the original timestamp - the fresh timestamp in the wsse:Security header is what the replay-detection logic inspects.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Ensure communication is protected by SSL/TLS to prevent capturing of signed SOAP envelope.

AnalysisAI

Authentication bypass via XML Signature Wrapping in CoreWCF allows attackers who capture a single signed SOAP envelope to replay arbitrary operations as the victim principal for the lifetime of the signing key. The flaw affects CoreWCF.Primitives versions below 1.8.1 and the 1.9.0 line below 1.9.1, defeating the DetectReplays mitigation because the attacker forges a fresh wsse:Security timestamp rather than reusing the original. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Intercept signed SOAP envelope on wire
Delivery
Extract signed element and signing context
Exploit
Craft replay with fresh wsse:Security timestamp
Execution
Submit to CoreWCF endpoint
Persist
Bypass DetectReplays via new timestamp
Impact
Invoke arbitrary operations as victim principal

Vulnerability AssessmentAI

Exploitation Requires the attacker to first capture at least one signed SOAP envelope sent to a CoreWCF service that uses WS-Security endorsing or supporting signatures, typically achievable when transport-level TLS is not enforced or when SOAP traffic is exposed via plaintext logs/proxies. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (7.4 High) reflects the realistic prerequisite that an attacker must first capture a signed SOAP envelope, which raises attack complexity but requires no privileges or user interaction once obtained. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on a network path (or with access to plaintext SOAP logs) captures one signed SOAP envelope from a legitimate user calling a CoreWCF service. They then craft a new request that wraps the captured signed element while inserting a fresh wsse:Security timestamp, and submit it to the same endpoint. …
Remediation Vendor-released patch: upgrade CoreWCF.Primitives to 1.8.1 on the 1.8.x branch or to 1.9.1 on the 1.9.x branch per advisory GHSA-gqv6-pwcg-87r8 (https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-gqv6-pwcg-87r8). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify CoreWCF.Primitives deployments using versions below 1.8.1 or in the 1.9.0 line below 1.9.1; document SOAP endpoint exposure and transaction types. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy