Service Vulnerability in CoreWCF Affecting .NET Core Products
CVE-2026-54780
3.7LOW
What is CVE-2026-54780?
CoreWCF, a port of Windows Communication Foundation to .NET Core, contains a vulnerability in its WS-Security 1.0 receive pipeline. This flaw occurs because the pipeline validates the ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite, but fails to validate each ds:Reference DigestMethod. As a result, it permits the use of rejected digest algorithms, such as SHA-1, resulting in potential security breaches. This issue has been addressed in CoreWCF versions 1.8.1 and 1.9.1.
Affected Version(s)
CoreWCF >= 1.9.0, < 1.9.1 < 1.9.0, 1.9.1
CoreWCF < 1.8.1 < 1.8.1
