criticalCVE-2026-54782

CoreWCF SAML Token Signature Validation Authentication Bypass Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.

ProductCoreWCF
CVSS10.0
EPSS0.00246
UpdatedJuly 10, 2026

Quick answer

CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • CoreWCF before 1.8.1
  • CoreWCF 1.9.0 before 1.9.1

Fixed versions

  • 1.8.1
  • 1.9.1

How to fix it

CoreWCF SAML token validation before 1.8.1 and 1.9.1 can allow unauthenticated impersonation when federated bindings use IdentityConfiguration. Treat this as critical for WSFederationHttpBinding or WS2007FederationHttpBinding services and update immediately.

  1. Inventory CoreWCF services using SAML 1.1 or SAML 2.0 with federated bindings and IdentityConfiguration.
  2. Upgrade CoreWCF packages to 1.8.1, 1.9.1, or later across all relying-party services.
  3. Validate trusted STS certificates, issuer metadata, audience restrictions, and token-signing configuration.
  4. Temporarily restrict network access to federated CoreWCF endpoints until every service is patched.
  5. Expire existing SAML sessions and force reauthentication for sensitive services.
  6. Review authorization logs for unexpected principals, administrative claims, or impossible login patterns.
  7. Rotate service credentials or signing trust configuration if forged or unsigned SAML tokens may have been accepted.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every affected service loads CoreWCF 1.8.1, 1.9.1, or later.
  • Test that unsigned SAML tokens and tokens signed with the wrong issuer key are rejected.
  • Verify federated services enforce issuer, audience, signature, and claim mapping rules.
  • Review authentication logs for suspicious impersonation during the vulnerable window.
  • Run a Fixnx scan and confirm federated SOAP endpoints are not publicly exposed beyond the intended access model.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54782?

CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.