CVE-2026-54782: CoreWCF SAML Token Validation Vulnerability
TL;DR - Critical CoreWCF flaw can allow unauthenticated impersonation in federated SAML deployments. - Affects CoreWCF setups using
IdentityConfigurationwith federated bindings before 1.8.1 and 1.9.1. - Upgrade immediately; no KEV listing or confirmed public PoC was identified, but impact is severe.
Vulnerability at a Glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-54782 |
| CVSS score | 10.0 |
| Attack vector | Remote over the network in affected federated authentication flows |
| Privileges required | None stated; described as unauthenticated |
| Patch available | Yes |
| Fixed versions | 1.8.1 and 1.9.1 |
CVE-2026-54782 is a critical authentication and impersonation issue in CoreWCF. According to the NVD description, affected versions do not correctly resolve the issuer signing key and do not require signed tokens when IdentityConfiguration is used with federated bindings. In practice, that can break the trust model around SAML assertions.
For defenders, the most important point is scope. This is not a generic “all CoreWCF deployments are instantly exposed” statement. The verified risk applies to CoreWCF deployments using SAML 1.1 or SAML 2.0 in federated binding scenarios with IdentityConfiguration. If your services rely on that pattern, treat this as an urgent patching and validation task.
What Is This Vulnerability?
At its core, CVE-2026-54782 is a token validation flaw in a federation scenario. CoreWCF is expected to validate SAML tokens issued by a trusted Security Token Service (STS). That validation depends on correctly identifying the issuer’s signing key and enforcing that the token is signed. The NVD description says affected versions failed on both fronts under certain conditions: issuer signing key resolution was incorrect, and signed tokens were not required.
That combination is dangerous because federation assumes the application trusts identities only after cryptographic verification. If the service accepts an unsigned token, or mishandles which key should be trusted for signature validation, an attacker may be able to present a crafted token that the service treats as authentic. The consequence is impersonation of any principal the trusted STS could normally issue.
This is why the issue is more than a routine validation bug. In many environments, federated authentication is used to separate identity management from application logic. If token validation fails, the application can no longer reliably distinguish a legitimate user from an attacker-controlled identity claim set. Depending on the service design, that could grant access to sensitive operations, internal APIs, or privileged workflows.
Technical Notes
A simplified representation of the risky condition described by the CVE is a service using federated bindings with IdentityConfiguration for SAML token handling:
// Illustrative example only; not a vulnerable proof of concept
var identityConfiguration = new IdentityConfiguration();
// Token validation behavior in affected versions may not correctly
// resolve issuer signing keys or require signed SAML tokens
// when used in federated binding scenarios.
Defenders should focus review on services that combine these elements:
- CoreWCF
- SAML 1.1 or SAML 2.0
- Federated bindings
- IdentityConfiguration
- Trust in an external STS
Who Is Affected?
The authoritative version statement available from the NVD description is that the issue affects CoreWCF prior to versions 1.8.1 and 1.9.1, and that the flaw is fixed in those releases. The safest precise wording is: if you are on an affected release line and have not upgraded to 1.8.1 or 1.9.1, review your deployment immediately.
The same NVD text specifically ties the vulnerability to SAML token validation in federated binding scenarios using IdentityConfiguration. That means affected exposure is configuration-dependent. An organization running CoreWCF without federated SAML authentication may not be exposed to the vulnerable code path in the same way. By contrast, organizations using SAML 1.1 or SAML 2.0 with a trusted STS should assume impact until they confirm both version and configuration.
The strongest version guidance that can be stated without speculation is:
- CoreWCF versions earlier than 1.8.1
- CoreWCF 1.9.x versions earlier than 1.9.1
Because the available primary-source summary does not enumerate every package name and every branch mapping in full, defenders should verify installed package versions directly in their project files, lockfiles, dependency manifests, and CI artifacts.
Technical Notes
Check project references and resolved dependency versions:
dotnet list package | grep -i corewcf
Inspect project files directly:
grep -Rin "CoreWCF" .
grep -Rin "<PackageReference" . | grep -i corewcf
Example XML pattern to look for:
<PackageReference Include="CoreWCF.Primitives" Version="1.8.0" />
CVSS Score Breakdown
The verified CVSS base score is 10.0, which places CVE-2026-54782 in the maximum severity category. The tooling available in the research note confirmed the score, but not the vector string. Because the vector was not exposed in the available response, it would be irresponsible to invent the exact metric values.
Even without the vector, the score aligns with the reported behavior. The NVD description indicates remote exploitation, no authentication requirement, and the ability to impersonate arbitrary principals in the trust domain of the affected STS. That implies a complete failure of authentication guarantees, which can translate into broad confidentiality, integrity, and availability impact depending on what the service exposes.
From an operational standpoint, defenders should treat the lack of a published vector in the available dataset as a data gap, not a reason to downplay the risk. A 10.0 score on an auth-bypass or impersonation issue in a federation path is enough to justify emergency change review and accelerated patching, especially for internet-exposed or partner-facing services.
Technical Notes
When the exact vector is unavailable, document what is verified and what is not:
Verified:
- CVSS base score: 10.0
- Remote unauthenticated impersonation impact in affected scenarios
Not verified from available source payload:
- Exact CVSS vector string
- Individual metric values as published by NVD
Exploitation Status
At the time of writing, CISA KEV does not list CVE-2026-54782. That means there is no KEV-based confirmation of active exploitation in the wild. It also means there is no CISA-required remediation deadline attached to this CVE for federal civilian agencies through KEV policy.
No authoritative public proof-of-concept was identified in the research note’s primary references. The official references available point to CoreWCF commits and fixed release tags, not to a vendor advisory claiming observed attacks or to an official exploit write-up. Based on the available data, the safest statement is: no confirmed in-the-wild exploitation was identified, and no authoritative public PoC was confirmed from the cited primary sources.
Defenders should not interpret that as low risk. Authentication flaws involving token validation frequently become easier to weaponize once patch diffs are reviewed. Since the issue affects trust decisions rather than a minor edge case, assume that exploit development is plausible even in the absence of public reporting.
Technical Notes
Status summary suitable for incident or risk registers:
Public PoC: Unknown / not confirmed from authoritative references reviewed
Active exploitation: Not confirmed
CISA KEV: No
Defender assumption: High-risk, patch-as-priority due to authentication bypass potential
How to Detect It
Detection is challenging because this vulnerability can manifest as apparently valid authentication events. If a forged or improperly accepted SAML token is processed successfully, the service may log only a normal principal identity and operation access. That means defenders need to correlate identity, token-processing, and application access patterns rather than rely on obvious exploit signatures alone.
Start by identifying all services using federated bindings and IdentityConfiguration, then review logs for unexpected principal assertions, unusual issuer values, tokens accepted without expected signature validation events, or bursts of successful access from previously unseen identities. If your environment logs SAML claims, look for mismatches between expected issuer, audience, signing behavior, and user identity.
Because exact CoreWCF logging formats vary by application and hosting model, there is no universal built-in log line to guarantee detection. In the absence of a vendor-provided signature, defenders should assume suspicious activity includes successful authentication where token provenance cannot be validated through surrounding logs.
Technical Notes
Example indicators and hunting patterns:
Potential log patterns to review
- Sudden successful authentication for high-privilege principals without corresponding STS activity
- SAML tokens accepted where signature validation logs are absent
- Issuer values that do not match expected trusted STS identifiers
- Authentication success immediately followed by unusual service method invocation
Example grep patterns for application logs:
grep -RinE "SAML|SecurityToken|issuer|signature|federat|IdentityConfiguration" /var/log /app/logs
Example Splunk-style hunting query:
index=app_logs ("SAML" OR "SecurityToken" OR "IdentityConfiguration" OR "issuer")
| stats count by host, service, user, issuer, action, status
| where status="Success"
Example Sigma-style logic to adapt internally:
title: Suspicious federated SAML authentication success in CoreWCF service
logsource:
product: application
detection:
selection:
message|contains:
- "SAML"
- "SecurityToken"
- "IdentityConfiguration"
condition: selection
level: medium
If you lack sufficient authentication telemetry, prioritize patching and add temporary debug or audit logging around token validation, issuer resolution, and authorization decisions while testing the fixed release.
Mitigation and Patching
The verified fix is to upgrade to CoreWCF 1.8.1 or CoreWCF 1.9.1, depending on your release line. Those are the versions explicitly identified as fixing the vulnerability. If you are on a version earlier than 1.8.1, upgrade to 1.8.1 or later in a supported branch. If you are on 1.9.0, upgrade to 1.9.1 or later in that branch.
Because this is an authentication integrity issue, patching should include more than a package bump. After upgrading, validate that your service rejects unsigned SAML tokens, resolves the correct issuer signing key, and only trusts the expected STS. Regression-test federated authentication paths, especially for privileged roles and cross-service access.
If an immediate upgrade is not possible, reduce exposure by limiting access to affected services, restricting federation endpoints to trusted network paths, and reviewing whether the vulnerable federated binding configuration can be temporarily disabled. These are compensating controls, not full fixes. In the absence of a patch, assume that any reachable vulnerable service using the affected configuration remains high risk.
Technical Notes
Upgrade with the .NET CLI by pinning the fixed package version in the relevant project:
dotnet add package CoreWCF.Primitives --version 1.8.1
Or, if you are on the 1.9 branch:
dotnet add package CoreWCF.Primitives --version 1.9.1
Then restore, build, and test:
dotnet restore
dotnet build
dotnet test
If your solution uses central package management, update the version in Directory.Packages.props:
<Project>
<ItemGroup>
<PackageVersion Include="CoreWCF.Primitives" Version="1.9.1" />
</ItemGroup>
</Project>
Temporary workaround approach if upgrade is blocked:
- Disable or isolate services using federated bindings with IdentityConfiguration
- Restrict exposure to internal or trusted network segments only
- Require additional gateway authentication in front of the service where feasible
- Increase audit logging around token validation and privileged operations
Post-patch verification checklist:
dotnet list package | grep -i corewcf
Confirm:
- Installed version is 1.8.1 or 1.9.1 or later
- Federated authentication still works for legitimate users
- Unsigned or tampered SAML tokens are rejected in test
- Expected issuer signing key is used during validation
References
The primary reference for the vulnerability description is the NVD record for CVE-2026-54782. That entry provides the verified impact statement, affected configuration context, and fixed versions. For practitioners, it is the authoritative source for the public summary when internal package inventories are being reviewed.
The other key references are the official CoreWCF repository commit links and release pages for v1.8.1 and v1.9.1. Those establish that code-level remediation was made available by the project and provide the fixed release points defenders should target. CISA KEV is also relevant because it currently does not list this CVE, which helps clarify current public exploitation status.
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-54782
- CoreWCF commit reference 1: https://github.com/CoreWCF/CoreWCF/commit/0b8c8af851260e85e8402af53233d1b8f87dfb6f
- CoreWCF commit reference 2: https://github.com/CoreWCF/CoreWCF/commit/0e63c2cca55763d8be6b226a234579280a09e7b6
- CoreWCF additional commit reference: https://github.com/CoreWCF/CoreWCF/commit/e5cc9b6a4ecc102a50d782093bfc72e0790abe3d
- CoreWCF fixed release v1.8.1: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
- CoreWCF fixed release v1.9.1: https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
For further reading, you can explore the implications of authentication vulnerabilities in federated systems in our article on threat intelligence platforms and learn more about how SSO works.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.