CVE-2026-54780 in CoreWCFinfo

Summary

by MITRE • 07/09/2026

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, the CoreWCF WS-Security 1.0 receive pipeline validates ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite but does not validate each ds:Reference DigestMethod, allowing a sender to use a rejected digest algorithm such as SHA-1 while the message is still accepted. This issue is fixed in versions 1.8.1 and 1.9.1.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability resides within CoreWCF's WS-Security 1.0 implementation where the receive pipeline performs incomplete validation of cryptographic algorithms used in digital signatures. While the system correctly validates the SignatureMethod within the ds:SignedInfo element against the configured SecurityAlgorithmSuite, it fails to validate the DigestMethod associated with each ds:Reference element. This inconsistency creates a security gap where malicious actors can substitute weaker digest algorithms like SHA-1 even when they are explicitly prohibited by security policies. The flaw exists in the signature validation logic that processes XML digital signatures according to the WS-Security standard while maintaining an incomplete validation approach that only examines the primary signature method but ignores the reference-level digest methods.

This vulnerability represents a specific implementation weakness classified under CWE-327, which deals with use of a broken or risky cryptographic algorithm. The issue directly impacts the integrity verification process by allowing attackers to bypass security controls designed to prevent the use of deprecated cryptographic methods. The WS-Security 1.0 specification defines a comprehensive framework for securing web services communications that includes strict requirements for cryptographic algorithm selection and validation throughout the signature structure. When the system only validates the primary signature method but ignores individual reference digest methods, it creates an opportunity for attackers to manipulate the digital signature verification process.

The operational impact of this vulnerability extends beyond simple cryptographic weakness to potentially enable more sophisticated attacks within secure communication channels. An attacker could exploit this flaw by constructing messages that use SHA-1 for digest calculations while maintaining a valid signature method, thereby circumventing security policies designed to prevent the use of weak hash algorithms. This creates opportunities for signature forgery or tampering attacks where the system accepts messages that should be rejected based on security policy enforcement. The vulnerability particularly affects systems that rely on CoreWCF for secure service communication and where strict cryptographic algorithm policies are enforced.

Mitigation strategies must focus on ensuring complete validation of all cryptographic elements within digital signatures according to established security standards. Organizations should immediately upgrade to CoreWCF versions 1.8.1 or 1.9.1 where this validation gap has been addressed. The fix implements comprehensive validation that checks both the SignatureMethod in ds:SignedInfo and each DigestMethod in ds:Reference elements against configured security algorithm suites. Security administrators should also review existing security policies to ensure proper enforcement of cryptographic algorithm restrictions, aligning with NIST SP 800-57 guidelines for cryptographic strength requirements. Additionally, this vulnerability highlights the importance of thorough testing of security controls in complex communication frameworks where incomplete validation logic can create exploitable gaps in security enforcement mechanisms that align with ATT&CK technique T1552.001 for unsecured credentials and T1071.004 for application layer protocol.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!