CoreWCF SAML Non-X.509 Signature Verification Bypass Vulnerability
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, SamlSerializer skips final SignatureValue verification when a CoreWCF service validates SAML tokens using a non-X.509 signing token, allowing an attacker to reference a non-X.509 SecurityToken key identifier and bypass assertion signature verification. This issue is fixed in versions 1.8.1 and 1.9.1.
Quick answer
CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- CoreWCF before 1.8.1
- CoreWCF 1.9.0 before 1.9.1
Fixed versions
- 1.8.1
- 1.9.1
How to fix it
CoreWCF before 1.8.1 and 1.9.1 can skip final SAML SignatureValue verification when non-X.509 signing tokens are used. Update CoreWCF and review trust settings for SAML token validation.
- Inventory CoreWCF services that validate SAML assertions, especially non-X.509 signing token configurations.
- Upgrade CoreWCF packages to 1.8.1, 1.9.1, or later.
- Prefer trusted X.509 issuer validation where possible and document any non-X.509 signing token use.
- Expire SAML sessions and rotate token validation trust if forged assertions may have been accepted.
- Review logs for unexpected SAML issuers, key identifiers, or principal mappings.
- Restrict affected federated service endpoints during rollout.
- Add regression tests for invalid SAML SignatureValue and unsupported signing-token references.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm patched CoreWCF packages are deployed.
- Test a SAML assertion with an invalid SignatureValue and confirm it is rejected.
- Verify non-X.509 token validation follows the intended trust policy.
- Review authentication logs for suspicious SAML activity.
- Run a Fixnx scan and confirm only intended service endpoints are exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-54774?
CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
