CoreWCF SAML Token Validation Flaw in .NET Core
CVE-2026-54782
10CRITICAL
What is CVE-2026-54782?
CoreWCF, the .NET Core port of Windows Communication Foundation, contains a vulnerability in its handling of SAML 1.1 and SAML 2.0 tokens. Versions prior to 1.8.1 and 1.9.1 fail to validate the issuer signing key or enforce signing requirements for tokens used with IdentityConfiguration when federated bindings are in play. This oversight permits unauthenticated remote attackers to impersonate legitimate principals issued by trusted Security Token Services (STS). The issue has been addressed in subsequent releases.
Affected Version(s)
CoreWCF >= 1.9.0, < 1.9.1 < 1.9.0, 1.9.1
CoreWCF < 1.8.1 < 1.8.1
