Security Risk Category

saml Security Risks

Published vulnerability pages connected to saml. One risk can appear in multiple categories while keeping one canonical page.

saml risks

Showing 6 of 6 published risks.

highEPSS 0.002

CoreWCF SAML Non-X.509 Signature Verification Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, SamlSerializer skips final SignatureValue verification when a CoreWCF service validates SAML tokens using a non-X.509 signing token, allowing an attacker to reference a non-X.509 SecurityToken key identifier and bypass assertion signature verification. This issue is fixed in versions 1.8.1 and 1.9.1.

CVE-2026-54774corewcfdotnetnugetwcf

Updated Jul 10, 2026

mediumEPSS 0.003

CoreWCF SAML Token Replay Cache Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML token replay protection is inoperative because DefaultTokenReplayCache.TryAdd does not reject duplicate tokens when DetectReplayedTokens is enabled, allowing a captured token to be reused. This issue is fixed in versions 1.8.1 and 1.9.1.

CVE-2026-54779corewcfdotnetnugetwcf

Updated Jul 10, 2026

highEPSS 0.002

CoreWCF SAML SubjectConfirmation Holder-of-Key Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML token validation does not enforce SubjectConfirmation method URIs or holder-of-key proof keys in SamlSecurityTokenHandler, allowing holder-of-key downgrade or custom confirmation method assertions to authenticate a subject without proving authority over the assertion. This issue is fixed in versions 1.8.1 and 1.9.1.

CVE-2026-54781corewcfdotnetnugetwcf

Updated Jul 10, 2026

criticalEPSS 0.002

CoreWCF SAML Token Signature Validation Authentication Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.

CVE-2026-54782corewcfdotnetnugetwcf

Updated Jul 10, 2026

highEPSS 0.001

CoreWCF WS-Security Signature Target Replay Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security endorsing and supporting signature verification does not ensure the selected ds:Signature covers the expected Security header target, allowing an attacker with one captured signed SOAP envelope to replay arbitrary service operations as the victim principal. This issue is fixed in versions 1.8.1 and 1.9.1.

CVE-2026-54783corewcfdotnetnugetwcf

Updated Jul 10, 2026

mediumEPSS 0.002

Nozomi Guardian and CMC SAML Single Sign-On Open Redirect Vulnerability

An Open Redirect vulnerability was discovered in the SAML Single Sign-On functionality due to insufficient validation of a user-controlled redirection parameter. An unauthenticated attacker can craft a request to the SAML sign-in endpoint and poison the cached SAML redirection for other users who subsequently initiate SAML Single Sign-On, enabling phishing and credential-theft attacks, as well as disrupting SAML authentication for all affected users.

CVE-2026-31982nozomi-networksguardiancmcsaml

Updated Jul 10, 2026