highCVE-2026-54774

CoreWCF SAML Non-X.509 Signature Verification Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, SamlSerializer skips final SignatureValue verification when a CoreWCF service validates SAML tokens using a non-X.509 signing token, allowing an attacker to reference a non-X.509 SecurityToken key identifier and bypass assertion signature verification. This issue is fixed in versions 1.8.1 and 1.9.1.

ProductCoreWCF
CVSS7.4
EPSS0.0015
UpdatedJuly 10, 2026

Quick answer

CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • CoreWCF before 1.8.1
  • CoreWCF 1.9.0 before 1.9.1

Fixed versions

  • 1.8.1
  • 1.9.1

How to fix it

CoreWCF before 1.8.1 and 1.9.1 can skip final SAML SignatureValue verification when non-X.509 signing tokens are used. Update CoreWCF and review trust settings for SAML token validation.

  1. Inventory CoreWCF services that validate SAML assertions, especially non-X.509 signing token configurations.
  2. Upgrade CoreWCF packages to 1.8.1, 1.9.1, or later.
  3. Prefer trusted X.509 issuer validation where possible and document any non-X.509 signing token use.
  4. Expire SAML sessions and rotate token validation trust if forged assertions may have been accepted.
  5. Review logs for unexpected SAML issuers, key identifiers, or principal mappings.
  6. Restrict affected federated service endpoints during rollout.
  7. Add regression tests for invalid SAML SignatureValue and unsupported signing-token references.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm patched CoreWCF packages are deployed.
  • Test a SAML assertion with an invalid SignatureValue and confirm it is rejected.
  • Verify non-X.509 token validation follows the intended trust policy.
  • Review authentication logs for suspicious SAML activity.
  • Run a Fixnx scan and confirm only intended service endpoints are exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54774?

CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.