CVE-2026-54780
C# Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-54780 is a WS-Security Reference DigestMethod Algorithm-Suite Bypass vulnerability in CoreWCF's CoreWCF.Primitives NuGet package. The flaw allows an attacker to bypass the configured SecurityAlgorithmSuite by declaring a weak DigestMethod (e.g., SHA-1) on individual ds:Reference elements while using an accepted SignatureMethod, causing the server to accept cryptographically weakened messages. Affected versions are CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. It was published on June 16, 2026, and carries a CVSS v3.1 base score of 3.7 (Low) (GitHub Advisory, CoreWCF Advisory).

Détails techniques

The root cause is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-757 (Algorithm Downgrade). CoreWCF's WS-Security 1.0 receive pipeline correctly validates the SignatureMethod in ds:SignedInfo against the configured SecurityAlgorithmSuite, but fails to validate the DigestMethod declared on each individual ds:Reference. An attacker can craft a SOAP message that uses an accepted SignatureMethod (e.g., rsa-sha256 under Basic256Sha256) while specifying a rejected DigestMethod (e.g., http://www.w3.org/2000/09/xmldsig#sha1) per reference; the signature verification succeeds because SHA-1 digests are permitted at the reference level, and the message is accepted by the server (GitHub Advisory, CoreWCF Advisory).

Impact

Successful exploitation allows a remote, unauthenticated attacker to bypass the cryptographic algorithm policy enforced by the server's SecurityAlgorithmSuite, resulting in a low-integrity impact on SOAP message processing. Specifically, an attacker can cause the server to accept messages whose references are hashed with a weak algorithm (SHA-1), undermining the integrity guarantees of WS-Security-protected communications. There is no confidentiality or availability impact, and the scope is unchanged, limiting the blast radius to the integrity of the affected WCF service endpoint (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify a network-accessible CoreWCF service endpoint using WS-Security 1.0 with a SecurityAlgorithmSuite that prohibits SHA-1 digests (e.g., Basic256Sha256), running CoreWCF.Primitives versions 1.8.0 or 1.9.0.
  2. Craft malicious SOAP message: Construct a valid SOAP message with a ds:SignedInfo block that uses an accepted SignatureMethod (e.g., http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) to satisfy the suite's signature algorithm check.
  3. Inject weak DigestMethod: Within each ds:Reference element inside ds:SignedInfo, declare a DigestMethod that the suite rejects (e.g., http://www.w3.org/2000/09/xmldsig#sha1), and compute the reference digest using SHA-1.
  4. Sign and send: Sign the message using a valid key so the SignatureMethod verification passes, then transmit the crafted SOAP request to the target endpoint.
  5. Bypass accepted: The server validates only the SignatureMethod, not the per-reference DigestMethod, and accepts the message — effectively allowing the attacker to use a cryptographically weaker digest algorithm than the policy permits (GitHub Advisory, CoreWCF Advisory).

Indicateurs de compromis

  • Network: Inbound SOAP requests to WCF service endpoints containing ds:Reference elements with DigestMethod values referencing SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1) while the SignatureMethod uses a stronger algorithm (e.g., rsa-sha256).
  • Logs: Application or WCF trace logs showing successful WS-Security signature validation on messages where the DigestMethod does not match the configured SecurityAlgorithmSuite; absence of algorithm-suite rejection errors for SHA-1 digest references on vulnerable versions.
  • Network: Unexpected or anomalous SOAP traffic to secured WCF endpoints from unknown or untrusted sources, particularly with crafted ds:SignedInfo structures.

Atténuation et solutions de contournement

Upgrade CoreWCF.Primitives to version 1.8.1 (for the 1.8.x branch) or 1.9.1 (for the 1.9.x branch), which fix the missing DigestMethod validation in the WS-Security receive pipeline. The vendor has confirmed there are no available workarounds — patching is the only remediation. Organizations should prioritize updating any services using WS-Security with strict algorithm suites (e.g., Basic256Sha256) to prevent algorithm downgrade attacks (GitHub Advisory, CoreWCF Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté C# Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54782CRITICAL10
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54784HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54783HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54781HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54780LOW3.7
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités