Skip to main content

CoreWCF CVE-2026-54784

HIGH
Missing Encryption of Sensitive Data (CWE-311)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-2288-8h3r-cqgg
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network-reachable and unauthenticated (AV:N, PR:N), but requires on-path observation of the SCT handshake and a non-TLS configuration (AC:H); session keys recovered yield full read/forge of session traffic (C:H/I:H), no availability impact (A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 21:33 vuln.today
Analysis Generated
Jun 19, 2026 - 21:33 vuln.today
CVE Published
Jun 19, 2026 - 20:47 github-advisory
HIGH 7.4

DescriptionGitHub Advisory

Impact

When the proof key recovered from the RSTR can be observed by a party that is not the legitimate client, that party can impersonate the authenticated Windows principal for the lifetime of the SCT (default ~10 hours) and decrypt or forge any subsequent WS‑SecureConversation traffic that uses keys derived from the SCT.

Preconditions

Using security mode TransportWithMessageCredential with client credential type Windows, along with session establishment (which triggers use of WS-SecureConversation).

Patches

Fixed in CoreWCF v1.9.1

Workarounds

Ensure communication is protected by SSL/TLS to prevent capturing of SCT negotiation handshake.

AnalysisAI

Authenticated principal impersonation in CoreWCF (versions >=1.9.0, <1.9.1) occurs because the SPNEGO SecurityContextToken proof key returned in the RequestSecurityTokenResponse (RSTR) is wrapped without confidentiality protection, allowing any on-path observer to recover it. An attacker who captures the unprotected handshake can impersonate the authenticated Windows principal for the SCT lifetime (~10 hours) and decrypt or forge subsequent WS-SecureConversation traffic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain on-path position to WCF traffic
Delivery
Observe SPNEGO RSTR during SCT negotiation
Exploit
Extract unwrapped proof key from RSTR
Execution
Derive WS-SecureConversation session keys
Persist
Decrypt or forge session messages
Impact
Impersonate Windows principal for ~10 hours

Vulnerability AssessmentAI

Exploitation Exploitation requires the CoreWCF service endpoint to be configured with security mode TransportWithMessageCredential and client credential type Windows, and the binding must use session establishment that triggers WS-SecureConversation - endpoints not using this exact combination are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N vector (7.4 High) correctly captures a network-reachable, unauthenticated, high-complexity attack with serious confidentiality and integrity impact and no availability impact - complexity is high because the attacker must be on-path during the SCT negotiation handshake. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the network path between a WCF client and a CoreWCF service - for example via ARP spoofing on a shared LAN, a compromised intermediate proxy, or an unencrypted hop - passively captures the SPNEGO RSTR during SCT negotiation and extracts the unwrapped proof key. Using that key the attacker derives the session keys, then either decrypts subsequent WS-SecureConversation messages or forges new ones that the server accepts as the authenticated Windows principal for up to ~10 hours. …
Remediation Vendor-released patch: CoreWCF 1.9.1 - upgrade the CoreWCF.Primitives NuGet package to 1.9.1 or later as the primary fix, per advisory https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-2288-8h3r-cqgg. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify systems running CoreWCF 1.9.0-1.9.1 and assess network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy