
PEACH
Un cadre d’isolation des locataires
CVE-2026-54780 is a WS-Security Reference DigestMethod Algorithm-Suite Bypass vulnerability in CoreWCF's CoreWCF.Primitives NuGet package. The flaw allows an attacker to bypass the configured SecurityAlgorithmSuite by declaring a weak DigestMethod (e.g., SHA-1) on individual ds:Reference elements while using an accepted SignatureMethod, causing the server to accept cryptographically weakened messages. Affected versions are CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. It was published on June 16, 2026, and carries a CVSS v3.1 base score of 3.7 (Low) (GitHub Advisory, CoreWCF Advisory).
The root cause is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-757 (Algorithm Downgrade). CoreWCF's WS-Security 1.0 receive pipeline correctly validates the SignatureMethod in ds:SignedInfo against the configured SecurityAlgorithmSuite, but fails to validate the DigestMethod declared on each individual ds:Reference. An attacker can craft a SOAP message that uses an accepted SignatureMethod (e.g., rsa-sha256 under Basic256Sha256) while specifying a rejected DigestMethod (e.g., http://www.w3.org/2000/09/xmldsig#sha1) per reference; the signature verification succeeds because SHA-1 digests are permitted at the reference level, and the message is accepted by the server (GitHub Advisory, CoreWCF Advisory).
Successful exploitation allows a remote, unauthenticated attacker to bypass the cryptographic algorithm policy enforced by the server's SecurityAlgorithmSuite, resulting in a low-integrity impact on SOAP message processing. Specifically, an attacker can cause the server to accept messages whose references are hashed with a weak algorithm (SHA-1), undermining the integrity guarantees of WS-Security-protected communications. There is no confidentiality or availability impact, and the scope is unchanged, limiting the blast radius to the integrity of the affected WCF service endpoint (GitHub Advisory).
SecurityAlgorithmSuite that prohibits SHA-1 digests (e.g., Basic256Sha256), running CoreWCF.Primitives versions 1.8.0 or 1.9.0.ds:SignedInfo block that uses an accepted SignatureMethod (e.g., http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) to satisfy the suite's signature algorithm check.ds:Reference element inside ds:SignedInfo, declare a DigestMethod that the suite rejects (e.g., http://www.w3.org/2000/09/xmldsig#sha1), and compute the reference digest using SHA-1.SignatureMethod verification passes, then transmit the crafted SOAP request to the target endpoint.SignatureMethod, not the per-reference DigestMethod, and accepts the message — effectively allowing the attacker to use a cryptographically weaker digest algorithm than the policy permits (GitHub Advisory, CoreWCF Advisory).ds:Reference elements with DigestMethod values referencing SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1) while the SignatureMethod uses a stronger algorithm (e.g., rsa-sha256).DigestMethod does not match the configured SecurityAlgorithmSuite; absence of algorithm-suite rejection errors for SHA-1 digest references on vulnerable versions.ds:SignedInfo structures.Upgrade CoreWCF.Primitives to version 1.8.1 (for the 1.8.x branch) or 1.9.1 (for the 1.9.x branch), which fix the missing DigestMethod validation in the WS-Security receive pipeline. The vendor has confirmed there are no available workarounds — patching is the only remediation. Organizations should prioritize updating any services using WS-Security with strict algorithm suites (e.g., Basic256Sha256) to prevent algorithm downgrade attacks (GitHub Advisory, CoreWCF Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."