LiveActive security incident?Get immediate response
CVE Record

CVE-2026-54782: CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.

CriticalCVSS 10Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CoreWCF services using affected SAML federation validation may accept forged or unsigned identity claims. A remote unauthenticated attacker could appear as any principal that the trusted STS could issue, potentially bypassing access controls across exposed services.

Executive priority

Treat as urgent for any CoreWCF federated service. Successful abuse could let an unauthenticated party act as trusted users or service principals without needing credentials.

Technical view

Before CoreWCF 1.8.1 and 1.9.1, SAML 1.1/2.0 validation with IdentityConfiguration and federated bindings mishandles issuer signing key resolution and token signature requirements. The flaw maps to authentication bypass and improper signature verification, with CVSS 10.0.

Likely exposure

Exposure is likely limited to applications running vulnerable CoreWCF versions with federated bindings, IdentityConfiguration, and SAML token validation. Internet-facing or partner-facing service endpoints carry the highest business risk.

Exploitation context

The provided sources do not report active exploitation, and KEV is false. The issue is remotely reachable, unauthenticated, low complexity, and can cross authorization boundaries by impersonating trusted identities.

Researcher notes

Focus assessment on IdentityConfiguration plus federated bindings. Validate version exposure and configuration reachability, not generic WCF usage. The bundle names fixed versions but provides no evidence of public exploitation.

Mitigation direction

  • Upgrade affected CoreWCF deployments to 1.8.1 or 1.9.1.
  • Prioritize externally reachable federated CoreWCF services.
  • Review vendor advisory and release notes before deployment.
  • Apply temporary access controls where immediate upgrade is not possible.

Validation and detection

  • Inventory CoreWCF package versions in all .NET services.
  • Identify services using federated bindings with IdentityConfiguration.
  • Confirm SAML 1.1 or SAML 2.0 token validation paths.
  • Verify patched versions are deployed in production.
  • Review authentication logs for unusual principal use.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-290: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-347: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-54782 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
10 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
10CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N3.95.8GitHub_M

Vulnerability scoring details

Base CVSS 3.1 score

10Critical
CVSS 3.1 vector shape for CVE-2026-54782Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CoreWCFCoreWCF>= 1.9.0, < 1.9.1, < 1.8.1Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-290 · source CWE mapping

Authentication Bypass by Spoofing

Authentication Bypass by Spoofing represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-347 · source CWE mapping

Improper Verification of Cryptographic Signature

Improper Verification of Cryptographic Signature represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.