CoreWCF Vulnerability Allows SAML Authentication Bypass

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in CoreWCF.Primitives, the .NET Core implementation of Windows Communication Foundation, affecting versions prior to 1.8.1 and the 1.9.0–1.9.1 release range. The issues span authentication bypass, token confidentiality leakage, XML signature wrapping, and improper SAML token validation, enabling attackers to impersonate users, replay signed SOAP messages, or forge security tokens without presenting valid proof keys. In a typical enterprise service environment, exploitation can lead to unauthorized access to sensitive data, execution of privileged operations, and long‑lived session hijacking lasting up to ten hours. The overall risk is high for any organization relying on CoreWCF for secure service communication.[emaillocker id="1283"]

• CVE-2026-54784 with a CVSS score of 7.4 – The proof key used in WS‑SecureConversation can be observed by an eavesdropper when TransportWithMessageCredential and Windows client credentials are used, allowing the attacker to impersonate the client for the SCT’s lifetime (≈10 hours). Exploitation requires network capture of the RSTR handshake.
  • CVE-2026-54783 with a CVSS score of 7.4 – An XML signature wrapping flaw lets an attacker replay a captured signed SOAP envelope and invoke arbitrary service operations as the victim, with no rate limiting. The attacker needs only one valid signed message and network access to the service.
  • CVE-2026-54782 with a CVSS score of 10.0 – CoreWCF fails to correctly validate SAML 1.1/2.0 token signatures, permitting full authentication bypass and impersonation of any principal the trusted STS could issue, including administrators. Exploitation requires the service to use WS‑Federation bindings and knowledge of the STS public certificate.
  • CVE-2026-54781 with a CVSS score of 7.4 – The framework does not enforce SAML SubjectConfirmation methods or holder‑of‑key proof keys, allowing attackers to present crafted or downgraded assertions and bypass authentication policies. Requires a service accepting SAML 1.1 tokens via federation bindings.
  • CVE-2026-54774 with a CVSS score of 7.4 – When SAML tokens are validated with a non‑X.509 signing token, CoreWCF skips the final SignatureValue verification, enabling attackers to supply a malicious token and gain unauthorized access. The precondition is a custom token resolver that references a symmetric key.

These vulnerabilities collectively expose organizations to credential theft, unauthorized service calls, and long‑duration impersonation, demanding immediate attention. If left unaddressed, attackers can compromise confidential data, alter business processes, and undermine trust in service‑to‑service communications. The high severity ratings underscore the urgency for rapid risk mitigation.

RECOMMENDATION:

• We recommend you to update CoreWCF.Primitives to version 1.9.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2288-8h3r-cqgg
https://github.com/advisories/GHSA-gqv6-pwcg-87r8
https://github.com/advisories/GHSA-xjr9-gg9q-jx3v
https://github.com/advisories/GHSA-48pq-2xq3-c2m4
https://github.com/advisories/GHSA-rpj7-hr7h-w6p9