CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
Summary
| CVE | CVE-2026-54782 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-08 23:16:56 UTC |
| Updated | 2026-07-08 23:16:56 UTC |
| Description | CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1. |
Risk And Classification
Primary CVSS: v3.1 10 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Problem Types: CWE-290 | CWE-347 | CWE-290 CWE-290: Authentication Bypass by Spoofing | CWE-347 CWE-347: Improper Verification of Cryptographic Signature
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | CNA | DECLARED | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/CoreWCF/CoreWCF/commit/0e63c2cca55763d8be6b226a234579280a09e7b6 | [email protected] | github.com | |
| github.com/CoreWCF/CoreWCF/commit/e5cc9b6a4ecc102a50d782093bfc72e0790abe3d | [email protected] | github.com | |
| github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v | [email protected] | github.com | |
| github.com/CoreWCF/CoreWCF/commit/0b8c8af851260e85e8402af53233d1b8f87dfb6f | [email protected] | github.com | |
| github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1 | [email protected] | github.com | |
| github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.