CVE-2026-54784 in CoreWCF
Summary
by MITRE • 07/09/2026
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. In version 1.9.0, CoreWCF SPNEGO SecurityContextToken negotiation can expose the proof key recovered from the RSTR when TransportWithMessageCredential with Windows client credentials and session establishment are used, allowing an observer to impersonate the authenticated Windows principal and decrypt or forge WS-SecureConversation traffic. This issue is fixed in version 1.9.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability exists within CoreWCF version 1.9.0 where the SecurityContextToken negotiation process fails to properly protect cryptographic proof keys during SPNEGO authentication scenarios. When using TransportWithMessageCredential security mode with Windows client credentials and session establishment, the system inadvertently exposes the proof key recovered from the RSTR (Request Security Token Response) message. This exposure occurs during the secure conversation establishment phase where the cryptographic material intended to protect the session becomes accessible to network observers.
The technical flaw stems from improper handling of cryptographic material within the WS-SecureConversation protocol implementation. Specifically, the vulnerability manifests when the SecurityContextToken is negotiated using SPNEGO authentication, which is commonly employed in enterprise environments for seamless Windows authentication. The proof key derived from the RSTR message contains sufficient cryptographic information to allow an attacker positioned on the network to impersonate authenticated Windows principals and gain unauthorized access to protected services.
This vulnerability directly impacts the confidentiality and integrity of communications within the affected system. An attacker who intercepts traffic during the SPNEGO negotiation process can utilize the exposed proof key to decrypt previously captured WS-SecureConversation messages or forge new security tokens that appear legitimate to the service endpoint. The operational impact extends beyond simple eavesdropping as it enables privilege escalation and unauthorized access to resources that should only be accessible to authenticated Windows users.
The security implications align with CWE-310, which addresses cryptographic weaknesses in key management and generation processes. This weakness specifically relates to improper protection of cryptographic keys during protocol negotiations, creating opportunities for man-in-the-middle attacks and session hijacking. The vulnerability also maps to ATT&CK technique T1550.001, which covers unauthorized use of session tokens and credentials, as attackers can leverage the exposed proof key to maintain persistent access to authenticated services.
Organizations using CoreWCF version 1.9.0 with TransportWithMessageCredential security mode should immediately upgrade to version 1.9.1 where the issue has been resolved through proper cryptographic key handling during SPNEGO negotiations. Additional mitigations include implementing network segmentation to reduce exposure surface, deploying intrusion detection systems to monitor for suspicious authentication patterns, and ensuring that all communication channels use transport layer encryption in addition to message level security. The fix addresses the root cause by ensuring that cryptographic proof keys remain properly protected throughout the entire negotiation process, preventing unauthorized recovery of sensitive cryptographic material.