CVE-2026-54774 in CoreWCFinfo

Summary

by MITRE • 07/09/2026

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, SamlSerializer skips final SignatureValue verification when a CoreWCF service validates SAML tokens using a non-X.509 signing token, allowing an attacker to reference a non-X.509 SecurityToken key identifier and bypass assertion signature verification. This issue is fixed in versions 1.8.1 and 1.9.1.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in CoreWCF affects the SAML token validation process when services operate with non-X.509 signing tokens, creating a critical security gap that undermines the integrity of authentication mechanisms. This flaw exists in versions prior to 1.8.1 and 1.9.1 where the SamlSerializer component fails to properly verify the SignatureValue of SAML assertions when validating tokens that do not utilize X.509 certificates for signing. The issue stems from an incomplete implementation of the SAML signature validation routine that skips a crucial verification step, allowing malicious actors to exploit this weakness in the authentication flow.

The technical nature of this vulnerability falls under CWE-327, which addresses weak cryptographic algorithms and improper implementation of security features, specifically targeting the cryptographic validation process within SAML token handling. When a CoreWCF service receives a SAML assertion with a non-X.509 key identifier, the system should perform complete signature verification including the final SignatureValue check to ensure the assertion has not been tampered with. However, due to the flawed implementation, this critical verification step is bypassed, potentially allowing attackers to forge or modify SAML assertions without detection.

From an operational perspective, this vulnerability creates significant risks for organizations relying on CoreWCF services for authentication and authorization. Attackers can exploit this weakness to submit crafted SAML tokens that appear valid to the service but contain malicious content or unauthorized claims. The bypass of signature verification means that even if an attacker cannot directly sign assertions with a valid certificate, they can manipulate existing valid assertions by referencing non-X.509 tokens that allow the validation process to skip critical cryptographic checks. This could lead to unauthorized access, privilege escalation, and potential data breaches within systems protected by these vulnerable services.

The impact of this vulnerability aligns with ATT&CK technique T1550.001, which covers use of valid credentials through legitimate authentication processes that have been manipulated or bypassed. Organizations using CoreWCF services in their authentication infrastructure face elevated risk of credential compromise and unauthorized system access, particularly in environments where SAML-based authentication is prevalent. The vulnerability affects the fundamental security model of the service by allowing attackers to manipulate authentication tokens without proper cryptographic validation. This issue represents a failure in the principle of least privilege and could enable attackers to gain access to sensitive resources that should be protected by robust SAML token validation mechanisms.

The fix implemented in versions 1.8.1 and 1.9.1 addresses this vulnerability by restoring complete signature verification for all SAML tokens regardless of their key identifier type. This ensures that the SignatureValue field is always validated, preventing attackers from exploiting the bypass condition. Organizations should prioritize upgrading to these fixed versions immediately and conduct thorough security assessments of their CoreWCF services to identify any potential exploitation attempts. The remediation process should include reviewing existing SAML token handling logic and ensuring all authentication flows properly validate cryptographic signatures before accepting assertions as legitimate. Additionally, security monitoring should be enhanced to detect unusual patterns in SAML assertion processing that might indicate attempted exploitation of this vulnerability.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!