CoreWCF Unix Domain Socket PosixIdentity Security Upgrade Bypass Vulnerability
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service hosted on Unix Domain Sockets with PosixIdentity client credentials can accept connections that skip the application/unixposix stream upgrade before dispatching messages, bypassing framing-layer identity checks in UnixPosixIdentitySecurityUpgradeProvider. This issue is fixed in versions 1.8.1 and 1.9.1.
Quick answer
CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- CoreWCF before 1.8.1
- CoreWCF 1.9.0 before 1.9.1
Fixed versions
- 1.8.1
- 1.9.1
How to fix it
CoreWCF services using Unix Domain Sockets and PosixIdentity before 1.8.1 and 1.9.1 can dispatch messages without the expected identity security upgrade. Update CoreWCF and lock down local socket access.
- Identify CoreWCF Unix Domain Socket services using PosixIdentity client credentials.
- Upgrade CoreWCF to 1.8.1, 1.9.1, or a later fixed version.
- Restrict socket file permissions and parent directory permissions to trusted local clients.
- Reject clients that do not complete the application/unixposix security upgrade.
- Review application authorization rules that depend on POSIX user or group identity.
- Audit local service logs for unauthenticated or unexpected socket clients.
- Restart services and remove temporary compatibility modes after patching.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm patched CoreWCF packages are deployed.
- Test a connection that skips the POSIX security upgrade and confirm it is rejected.
- Verify authorized local clients still authenticate with the expected POSIX identity.
- Review logs for unauthenticated socket access attempts.
- Run a Fixnx scan and confirm the service is not reachable from untrusted networks.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-54776?
CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
