CVE-2026-54784 in CoreWCFinfo

Summary

by MITRE • 07/09/2026

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. In version 1.9.0, CoreWCF SPNEGO SecurityContextToken negotiation can expose the proof key recovered from the RSTR when TransportWithMessageCredential with Windows client credentials and session establishment are used, allowing an observer to impersonate the authenticated Windows principal and decrypt or forge WS-SecureConversation traffic. This issue is fixed in version 1.9.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability exists within CoreWCF version 1.9.0 where the SecurityContextToken negotiation process fails to properly protect cryptographic proof keys during SPNEGO authentication scenarios. When using TransportWithMessageCredential security mode with Windows client credentials and session establishment, the system inadvertently exposes the proof key recovered from the RSTR (Request Security Token Response) message. This exposure occurs during the secure conversation establishment phase where the cryptographic material intended to protect the session becomes accessible to network observers.

The technical flaw stems from improper handling of cryptographic material within the WS-SecureConversation protocol implementation. Specifically, the vulnerability manifests when the SecurityContextToken is negotiated using SPNEGO authentication, which is commonly employed in enterprise environments for seamless Windows authentication. The proof key derived from the RSTR message contains sufficient cryptographic information to allow an attacker positioned on the network to impersonate authenticated Windows principals and gain unauthorized access to protected services.

This vulnerability directly impacts the confidentiality and integrity of communications within the affected system. An attacker who intercepts traffic during the SPNEGO negotiation process can utilize the exposed proof key to decrypt previously captured WS-SecureConversation messages or forge new security tokens that appear legitimate to the service endpoint. The operational impact extends beyond simple eavesdropping as it enables privilege escalation and unauthorized access to resources that should only be accessible to authenticated Windows users.

The security implications align with CWE-310, which addresses cryptographic weaknesses in key management and generation processes. This weakness specifically relates to improper protection of cryptographic keys during protocol negotiations, creating opportunities for man-in-the-middle attacks and session hijacking. The vulnerability also maps to ATT&CK technique T1550.001, which covers unauthorized use of session tokens and credentials, as attackers can leverage the exposed proof key to maintain persistent access to authenticated services.

Organizations using CoreWCF version 1.9.0 with TransportWithMessageCredential security mode should immediately upgrade to version 1.9.1 where the issue has been resolved through proper cryptographic key handling during SPNEGO negotiations. Additional mitigations include implementing network segmentation to reduce exposure surface, deploying intrusion detection systems to monitor for suspicious authentication patterns, and ensuring that all communication channels use transport layer encryption in addition to message level security. The fix addresses the root cause by ensuring that cryptographic proof keys remain properly protected throughout the entire negotiation process, preventing unauthorized recovery of sensitive cryptographic material.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!