CoreWCF SAML Token Validation Flaw in .NET Core
CVE-2026-54782

10CRITICAL

Key Information:

Vendor

Corewcf

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54782?

CoreWCF, the .NET Core port of Windows Communication Foundation, contains a vulnerability in its handling of SAML 1.1 and SAML 2.0 tokens. Versions prior to 1.8.1 and 1.9.1 fail to validate the issuer signing key or enforce signing requirements for tokens used with IdentityConfiguration when federated bindings are in play. This oversight permits unauthenticated remote attackers to impersonate legitimate principals issued by trusted Security Token Services (STS). The issue has been addressed in subsequent releases.

Affected Version(s)

CoreWCF >= 1.9.0, < 1.9.1 < 1.9.0, 1.9.1

CoreWCF < 1.8.1 < 1.8.1

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.