CVE-2026-54776 in CoreWCF
Summary
by MITRE • 07/09/2026
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service hosted on Unix Domain Sockets with PosixIdentity client credentials can accept connections that skip the application/unixposix stream upgrade before dispatching messages, bypassing framing-layer identity checks in UnixPosixIdentitySecurityUpgradeProvider. This issue is fixed in versions 1.8.1 and 1.9.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability affects CoreWCF services running on Unix Domain Sockets with PosixIdentity client credentials, representing a critical security flaw in the authentication and authorization mechanisms of the Windows Communication Foundation port for .NET Core. The issue stems from improper handling of stream upgrades during connection establishment, allowing malicious clients to bypass crucial identity verification checks that should occur at the framing layer before message dispatching. The vulnerability specifically impacts services configured with UnixPosixIdentitySecurityUpgradeProvider, which is responsible for validating client identities when using Unix domain sockets with POSIX-based authentication mechanisms.
The technical flaw manifests in the security upgrade process where connections can skip the application/unixposix stream upgrade phase that normally validates client credentials and establishes proper identity context. This bypass occurs during the initial connection handshake, allowing unauthorized entities to establish valid connections without proper authentication, effectively undermining the entire identity validation framework. The vulnerability is classified as a weakness in authorization mechanisms and represents a failure in secure communication channel establishment according to CWE-284 access control principles. Attackers can exploit this by crafting specially formatted connections that circumvent the normal security upgrade sequence, potentially gaining unauthorized access to services that rely on proper identity verification.
The operational impact of this vulnerability is significant as it allows attackers to bypass authentication mechanisms entirely, potentially leading to unauthorized access to sensitive services and data. Since Unix Domain Sockets are commonly used for local inter-process communication and service-to-service interactions within containerized environments and microservices architectures, this vulnerability could affect a wide range of applications deployed in production environments. The bypass affects the core security model of CoreWCF services, potentially allowing privilege escalation or unauthorized data access depending on the service's authorization policies. This vulnerability aligns with ATT&CK technique T1078 legitimate credentials, where adversaries use valid accounts to gain access to systems without detection.
Organizations should immediately update their CoreWCF services to versions 1.8.1 or 1.9.1 to remediate this vulnerability. The fix addresses the stream upgrade process by ensuring that all connections properly undergo the UnixPosixIdentitySecurityUpgradeProvider validation before any message processing occurs. Security teams should also implement additional monitoring for unauthorized connection attempts and verify that all services using Unix Domain Sockets with PosixIdentity credentials are properly updated. Given that this affects containerized deployments and microservices architectures, organizations should conduct comprehensive security assessments of their service communication patterns and ensure proper credential handling across all components. The vulnerability demonstrates the importance of maintaining up-to-date security libraries and implementing proper security testing for authentication mechanisms in distributed applications.