Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-54782
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-08 Jul, 2026 | 22:20
Updated At-10 Jul, 2026 | 03:55
Rejected At-
▼CVE Numbering Authority (CNA)
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.

Affected Products
Vendor
CoreWCF
Product
CoreWCF
Versions
Affected
  • >= 1.9.0, < 1.9.1
  • < 1.8.1
Problem Types
TypeCWE IDDescription
CWECWE-290CWE-290: Authentication Bypass by Spoofing
CWECWE-347CWE-347: Improper Verification of Cryptographic Signature
Type: CWE
CWE ID: CWE-290
Description: CWE-290: Authentication Bypass by Spoofing
Type: CWE
CWE ID: CWE-347
Description: CWE-347: Improper Verification of Cryptographic Signature
Metrics
VersionBase scoreBase severityVector
3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v
x_refsource_CONFIRM
https://github.com/CoreWCF/CoreWCF/commit/0b8c8af851260e85e8402af53233d1b8f87dfb6f
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/commit/0e63c2cca55763d8be6b226a234579280a09e7b6
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/commit/e5cc9b6a4ecc102a50d782093bfc72e0790abe3d
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
x_refsource_MISC
https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/CoreWCF/CoreWCF/commit/0b8c8af851260e85e8402af53233d1b8f87dfb6f
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/commit/0e63c2cca55763d8be6b226a234579280a09e7b6
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/commit/e5cc9b6a4ecc102a50d782093bfc72e0790abe3d
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
Resource:
x_refsource_MISC
Hyperlink: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found