CVE-2026-54782
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.
View on NVDAnalysis
CoreWCF presenta una vulnerabilidad critica en la validacion de tokens SAML 1.1 y 2.0 que permite a un atacante remoto no autenticado suplantar cualquier identidad. El fallo ocurre al usar IdentityConfiguration con enlaces federados, facilitando el bypass total de la autenticacion en servicios backend construidos con .NET Core. Es imperativo actualizar inmediatamente a las versiones 1.8.1 o 1.9.1 para corregir este error de severidad maxima.
Relevant roles
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NCWE-290CWE-347EPSS
No EPSS score yet (CVE may be too fresh).
Technical description
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.
References
- https://github.com/CoreWCF/CoreWCF/commit/0b8c8af851260e85e8402af53233d1b8f87dfb6f
- https://github.com/CoreWCF/CoreWCF/commit/0e63c2cca55763d8be6b226a234579280a09e7b6
- https://github.com/CoreWCF/CoreWCF/commit/e5cc9b6a4ecc102a50d782093bfc72e0790abe3d
- https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
- https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
- https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v