CVE-2026-54779 in CoreWCF
Summary
by MITRE • 07/09/2026
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML token replay protection is inoperative because DefaultTokenReplayCache.TryAdd does not reject duplicate tokens when DetectReplayedTokens is enabled, allowing a captured token to be reused. This issue is fixed in versions 1.8.1 and 1.9.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in CoreWCF relates to insufficient token replay protection mechanisms that could allow attackers to reuse captured security tokens within the service communication framework. This flaw exists in versions prior to 1.8.1 and 1.9.1 where the DefaultTokenReplayCache implementation fails to properly validate token uniqueness when the DetectReplayedTokens feature is enabled. The core issue stems from a fundamental breakdown in the token validation logic that should prevent previously used security tokens from being accepted again within the system.
This vulnerability represents a critical weakness in the authentication and authorization mechanisms of CoreWCF services, as it directly undermines the principle of secure token usage and creates an avenue for replay attacks. When DetectReplayedTokens is enabled but DefaultTokenReplayCache.TryAdd does not properly reject duplicate tokens, the entire security posture of applications relying on SAML token authentication becomes compromised. The flaw allows adversaries to capture valid SAML tokens through various means such as network interception or session hijacking and then reuse them to gain unauthorized access to protected resources.
The operational impact of this vulnerability extends beyond simple authentication bypasses, as it can lead to complete service compromise when attackers leverage replayed tokens to perform privileged operations. This weakness particularly affects applications that depend on SAML-based authentication for securing service endpoints, where the integrity of token validation becomes paramount to maintaining system security. The vulnerability is classified under CWE-347 as "Improper Verification of Cryptographic Signature" and aligns with ATT&CK technique T1566.002 for credential access through phishing or network interception methods.
Security professionals should prioritize upgrading CoreWCF implementations to versions 1.8.1 or 1.9.1 where the token replay protection has been properly implemented. Organizations maintaining older versions of CoreWCF should immediately disable DetectReplayedTokens functionality until proper upgrades are completed, as this feature becomes ineffective in the vulnerable versions. The fix addresses the core logic error in DefaultTokenReplayCache.TryAdd method to ensure that duplicate tokens are properly rejected when the replay detection mechanism is active, thereby restoring proper security controls for SAML token validation and preventing unauthorized access through token reuse attacks.
Additional mitigations include implementing comprehensive monitoring for suspicious authentication patterns, deploying network segmentation to limit token exposure, and conducting thorough security assessments of all CoreWCF-based services. Organizations should also consider implementing additional layers of authentication such as multi-factor authentication to reduce the impact if token replay attacks succeed despite proper implementation. The vulnerability highlights the importance of proper cryptographic validation in distributed systems and serves as a reminder that even seemingly minor flaws in authentication mechanisms can have significant security implications across enterprise environments relying on secure communication frameworks.