CoreWCF WS-Security Signature Target Replay Vulnerability
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security endorsing and supporting signature verification does not ensure the selected ds:Signature covers the expected Security header target, allowing an attacker with one captured signed SOAP envelope to replay arbitrary service operations as the victim principal. This issue is fixed in versions 1.8.1 and 1.9.1.
Quick answer
CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- CoreWCF before 1.8.1
- CoreWCF 1.9.0 before 1.9.1
Fixed versions
- 1.8.1
- 1.9.1
How to fix it
CoreWCF before 1.8.1 and 1.9.1 can accept WS-Security signatures that do not cover the expected Security header target, allowing replay of captured signed SOAP envelopes as the victim principal. Update CoreWCF and review SOAP services that rely on endorsing or supporting signatures.
- Inventory CoreWCF services that use WS-Security, endorsing signatures, or supporting token signatures.
- Upgrade all CoreWCF packages to 1.8.1, 1.9.1, or a later fixed release on every affected service.
- Redeploy services and verify no application still loads vulnerable CoreWCF assemblies.
- Expire captured or long-lived SOAP security tokens and shorten token lifetimes where possible.
- Require timestamps, nonce validation, and replay detection on signed SOAP messages where supported.
- Review service operation logs for repeated signed envelopes, unusual principals, or unexpected high-privilege operations.
- Restrict exposed SOAP endpoints to trusted networks or authenticated gateways while upgrades are rolling out.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm deployed packages are CoreWCF 1.8.1, 1.9.1, or later.
- Test that replayed signed SOAP envelopes are rejected.
- Validate signatures are checked against the intended WS-Security header target.
- Review logs for suspicious repeated SOAP requests or principal impersonation.
- Run a Fixnx scan and confirm only intended CoreWCF service endpoints are exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-54783?
CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
