SPNEGO Security Context Token Weakness in CoreWCF Product by CoreWCF
CVE-2026-54784
7.4HIGH
What is CVE-2026-54784?
In CoreWCF version 1.9.0, a vulnerability related to SPNEGO SecurityContextToken negotiation may allow an observer to obtain the proof key from the RSTR when using TransportWithMessageCredential with Windows client credentials during session establishment. This exposure could enable the observer to impersonate the authenticated Windows principal, thereby risking the integrity of other communications protected by WS-SecureConversation. The issue has been addressed in version 1.9.1.
Affected Version(s)
CoreWCF >= 1.9.0, < 1.9.1
