CoreWCF WS-Security Weak Digest Algorithm Acceptance Vulnerability
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, the CoreWCF WS-Security 1.0 receive pipeline validates ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite but does not validate each ds:Reference DigestMethod, allowing a sender to use a rejected digest algorithm such as SHA-1 while the message is still accepted. This issue is fixed in versions 1.8.1 and 1.9.1.
Quick answer
CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- CoreWCF before 1.8.1
- CoreWCF 1.9.0 before 1.9.1
Fixed versions
- 1.8.1
- 1.9.1
How to fix it
CoreWCF before 1.8.1 and 1.9.1 can accept WS-Security reference digest algorithms that should be rejected by the configured SecurityAlgorithmSuite. Update CoreWCF and enforce modern digest and signature algorithms.
- Inventory CoreWCF services using WS-Security 1.0 message signing.
- Upgrade all CoreWCF packages to 1.8.1, 1.9.1, or later.
- Review SecurityAlgorithmSuite settings and remove SHA-1 or other weak digest allowances where possible.
- Reject SOAP messages that include deprecated DigestMethod values such as SHA-1.
- Coordinate with clients to ensure they use supported modern digest and signature algorithms.
- Log rejected signature and digest algorithm failures for follow-up.
- Remove temporary compatibility exceptions after all clients have updated.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm patched CoreWCF packages are deployed.
- Send a signed SOAP test message using a weak digest and confirm it is rejected.
- Validate legitimate clients still work with approved algorithms.
- Review security logs for weak digest attempts after rollout.
- Run a Fixnx scan and confirm SOAP endpoints are not exposed unnecessarily.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-54780?
CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
