Service Vulnerability in CoreWCF Affecting .NET Core Products
CVE-2026-54780

3.7LOW

Key Information:

Vendor

Corewcf

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54780?

CoreWCF, a port of Windows Communication Foundation to .NET Core, contains a vulnerability in its WS-Security 1.0 receive pipeline. This flaw occurs because the pipeline validates the ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite, but fails to validate each ds:Reference DigestMethod. As a result, it permits the use of rejected digest algorithms, such as SHA-1, resulting in potential security breaches. This issue has been addressed in CoreWCF versions 1.8.1 and 1.9.1.

Affected Version(s)

CoreWCF >= 1.9.0, < 1.9.1 < 1.9.0, 1.9.1

CoreWCF < 1.8.1 < 1.8.1

References

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.