mediumCVE-2026-54773

CoreWCF WS-Security Document-Wide Signature Lookup Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security signature verification performs a document-wide ds:Signature lookup, allowing an unauthenticated remote attacker to place a SOAP header before wsse:Security and cause WSSecurityOneDotZeroReceiveSecurityHeader to verify an attacker-supplied signature instead of the security header signature. This issue is fixed in versions 1.8.1 and 1.9.1.

ProductCoreWCF
CVSS5.9
EPSS0.00238
UpdatedJuly 10, 2026

Quick answer

CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • CoreWCF before 1.8.1
  • CoreWCF 1.9.0 before 1.9.1

Fixed versions

  • 1.8.1
  • 1.9.1

How to fix it

CoreWCF before 1.8.1 and 1.9.1 can verify the wrong ds:Signature when processing WS-Security messages, allowing crafted SOAP headers to bypass intended security-header signature checks. Update CoreWCF and review signed SOAP message validation.

  1. Identify CoreWCF SOAP services that use WS-Security signatures.
  2. Upgrade CoreWCF packages to 1.8.1, 1.9.1, or later.
  3. Reject SOAP messages with unexpected signed headers before wsse:Security until services are patched.
  4. Review service logs for unusual SOAP header ordering or failed signature validations.
  5. Coordinate with clients to verify valid signed SOAP messages still follow expected structure.
  6. Restrict externally reachable SOAP endpoints during patch rollout.
  7. Add tests that ensure only the wsse:Security signature is accepted for protected messages.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every affected service uses patched CoreWCF packages.
  • Test a crafted SOAP message with an attacker-controlled signature before wsse:Security and confirm rejection.
  • Validate normal signed SOAP clients still work.
  • Review logs for abnormal SOAP headers after deployment.
  • Run a Fixnx scan and confirm SOAP exposure is limited to intended endpoints.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54773?

CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.