CoreWCF CVE-2026-54784
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable and unauthenticated (AV:N, PR:N), but requires on-path observation of the SCT handshake and a non-TLS configuration (AC:H); session keys recovered yield full read/forge of session traffic (C:H/I:H), no availability impact (A:N).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
When the proof key recovered from the RSTR can be observed by a party that is not the legitimate client, that party can impersonate the authenticated Windows principal for the lifetime of the SCT (default ~10 hours) and decrypt or forge any subsequent WS‑SecureConversation traffic that uses keys derived from the SCT.
Preconditions
Using security mode TransportWithMessageCredential with client credential type Windows, along with session establishment (which triggers use of WS-SecureConversation).
Patches
Fixed in CoreWCF v1.9.1
Workarounds
Ensure communication is protected by SSL/TLS to prevent capturing of SCT negotiation handshake.
AnalysisAI
Authenticated principal impersonation in CoreWCF (versions >=1.9.0, <1.9.1) occurs because the SPNEGO SecurityContextToken proof key returned in the RequestSecurityTokenResponse (RSTR) is wrapped without confidentiality protection, allowing any on-path observer to recover it. An attacker who captures the unprotected handshake can impersonate the authenticated Windows principal for the SCT lifetime (~10 hours) and decrypt or forge subsequent WS-SecureConversation traffic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the CoreWCF service endpoint to be configured with security mode TransportWithMessageCredential and client credential type Windows, and the binding must use session establishment that triggers WS-SecureConversation - endpoints not using this exact combination are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N vector (7.4 High) correctly captures a network-reachable, unauthenticated, high-complexity attack with serious confidentiality and integrity impact and no availability impact - complexity is high because the attacker must be on-path during the SCT negotiation handshake. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned on the network path between a WCF client and a CoreWCF service - for example via ARP spoofing on a shared LAN, a compromised intermediate proxy, or an unencrypted hop - passively captures the SPNEGO RSTR during SCT negotiation and extracts the unwrapped proof key. Using that key the attacker derives the session keys, then either decrypts subsequent WS-SecureConversation messages or forges new ones that the server accepts as the authenticated Windows principal for up to ~10 hours. … |
| Remediation | Vendor-released patch: CoreWCF 1.9.1 - upgrade the CoreWCF.Primitives NuGet package to 1.9.1 or later as the primary fix, per advisory https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-2288-8h3r-cqgg. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems running CoreWCF 1.9.0-1.9.1 and assess network exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-311 – Missing Encryption of Sensitive Data
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2288-8h3r-cqgg