SOAP Signature Verification Vulnerability in CoreWCF from Microsoft
CVE-2026-54773

5.9MEDIUM

Key Information:

Vendor

Corewcf

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54773?

CoreWCF, a .NET Core port of Windows Communication Foundation (WCF), has a vulnerability in its WS-Security signature verification process. This flaw allows an unauthenticated remote attacker to manipulate SOAP headers, potentially leading to the verification of a maliciously crafted signature instead of the intended security header signature. The issue is addressed in versions 1.8.1 and 1.9.1, ensuring that document-wide signature lookups do not permit such exploitation.

Affected Version(s)

CoreWCF >= 1.9.0, < 1.9.1 < 1.9.0, 1.9.1

CoreWCF < 1.8.1 < 1.8.1

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.