highCVE-2026-54781

CoreWCF SAML SubjectConfirmation Holder-of-Key Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML token validation does not enforce SubjectConfirmation method URIs or holder-of-key proof keys in SamlSecurityTokenHandler, allowing holder-of-key downgrade or custom confirmation method assertions to authenticate a subject without proving authority over the assertion. This issue is fixed in versions 1.8.1 and 1.9.1.

ProductCoreWCF
CVSS7.4
EPSS0.00178
UpdatedJuly 10, 2026

Quick answer

CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • CoreWCF before 1.8.1
  • CoreWCF 1.9.0 before 1.9.1

Fixed versions

  • 1.8.1
  • 1.9.1

How to fix it

CoreWCF before 1.8.1 and 1.9.1 can mishandle SAML SubjectConfirmation and holder-of-key proof checks, allowing SAML assertions to authenticate without proving the expected authority. Update CoreWCF and review services that accept issued SAML tokens.

  1. Identify CoreWCF services that validate SAML tokens through SamlSecurityTokenHandler.
  2. Upgrade CoreWCF packages to 1.8.1, 1.9.1, or later.
  3. Review SAML trust policy and require expected SubjectConfirmation methods for each relying party.
  4. Ensure holder-of-key assertions require proof of possession of the bound key.
  5. Expire active SAML sessions and lower token lifetime during remediation.
  6. Audit successful SAML authentications for unusual confirmation methods or principals.
  7. Limit access to SAML-backed SOAP services until token validation behavior is confirmed.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm affected applications run patched CoreWCF packages.
  • Test bearer, holder-of-key, and custom SubjectConfirmation methods and confirm unsupported methods fail.
  • Verify holder-of-key tokens require proof of possession.
  • Review SAML logs for tokens with unexpected confirmation methods.
  • Run a Fixnx scan and confirm SAML-backed endpoints match the intended exposure.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54781?

CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.