Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-54773
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-08 Jul, 2026 | 22:09
Updated At-10 Jul, 2026 | 14:05
Rejected At-
▼CVE Numbering Authority (CNA)
CoreWCF: WS-Security signature substitution via document-wide Signature lookup

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security signature verification performs a document-wide ds:Signature lookup, allowing an unauthenticated remote attacker to place a SOAP header before wsse:Security and cause WSSecurityOneDotZeroReceiveSecurityHeader to verify an attacker-supplied signature instead of the security header signature. This issue is fixed in versions 1.8.1 and 1.9.1.

Affected Products
Vendor
CoreWCF
Product
CoreWCF
Versions
Affected
  • >= 1.9.0, < 1.9.1
  • < 1.8.1
Problem Types
TypeCWE IDDescription
CWECWE-347CWE-347: Improper Verification of Cryptographic Signature
Type: CWE
CWE ID: CWE-347
Description: CWE-347: Improper Verification of Cryptographic Signature
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-jc6x-rj79-w4mx
x_refsource_CONFIRM
https://github.com/CoreWCF/CoreWCF/commit/0589692d4b9a41d21b34ac48281e95f6df7f4ce5
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/commit/30aef805270976c42477e3f2a05f4e563d86e247
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/commit/4618f24165ad018ad3ed2636bf8c3bc87d2a3be2
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-jc6x-rj79-w4mx
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/CoreWCF/CoreWCF/commit/0589692d4b9a41d21b34ac48281e95f6df7f4ce5
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/commit/30aef805270976c42477e3f2a05f4e563d86e247
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/commit/4618f24165ad018ad3ed2636bf8c3bc87d2a3be2
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found