SPNEGO Security Context Token Weakness in CoreWCF Product by CoreWCF
CVE-2026-54784

7.4HIGH

Key Information:

Vendor

Corewcf

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54784?

In CoreWCF version 1.9.0, a vulnerability related to SPNEGO SecurityContextToken negotiation may allow an observer to obtain the proof key from the RSTR when using TransportWithMessageCredential with Windows client credentials during session establishment. This exposure could enable the observer to impersonate the authenticated Windows principal, thereby risking the integrity of other communications protected by WS-SecureConversation. The issue has been addressed in version 1.9.1.

Affected Version(s)

CoreWCF >= 1.9.0, < 1.9.1

References

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.