
PEACH
Un cadre d’isolation des locataires
CVE-2026-54781 is a SAML authentication bypass vulnerability in CoreWCF (CoreWCF.Primitives NuGet package) where SAML 1.1 SubjectConfirmation methods and holder-of-key proof keys are not enforced, allowing an attacker to be authenticated as an assertion's subject without proving authority over the assertion. It affects CoreWCF.Primitives versions < 1.8.1 and >= 1.9.0, < 1.9.1 (specifically versions 1.8.0 and 1.9.0). The vulnerability was published on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.4 (High) (GitHub Advisory, CoreWCF Advisory).
The root cause is classified under CWE-287 (Improper Authentication) and CWE-345 (Insufficient Verification of Data Authenticity): CoreWCF fails to enforce SAML 1.1 SubjectConfirmation method validation and holder-of-key proof key requirements when processing federated tokens. Two distinct exploit shapes exist: (1) Holder-of-key downgrade — an attacker presents a holder-of-key SAML assertion lacking a KeyInfo element (due to an issuer bug, custom STS shape, or captured assertion) and is authenticated without producing the required proof key; (2) Custom-method bypass — an attacker presents an assertion bearing a non-standard confirmation method URI, silently bypassing per-method policies the framework should enforce. Exploitation requires the service to be configured to accept SAML 1.1 tokens via federation (e.g., WS2007FederationHttpBinding, WSFederationHttpBinding, or custom bindings using IssuedSecurityTokenParameters with a SAML 1.1 token type), and the attacker must have obtained at least one signed SAML 1.1 assertion of a triggering shape (GitHub Advisory, CoreWCF Advisory).
Successful exploitation results in the relying application receiving a ClaimsPrincipal for a subject whose authority over the assertion was never proven, effectively granting an attacker unauthorized authentication as an arbitrary user. This leads to high confidentiality and integrity impact — an attacker can access protected resources and perform actions as the impersonated subject, potentially including privileged operations. Availability is not directly impacted, but the authentication bypass could enable lateral movement within federated service environments or escalation to sensitive business functions (GitHub Advisory).
WS2007FederationHttpBinding or WSFederationHttpBinding.KeyInfo element (e.g., captured from a session with a buggy STS, or issued by a permissive custom STS), or (b) bears a non-standard/custom SubjectConfirmationMethod URI not in the standard SAML 1.1 trio.ClaimsPrincipal for the assertion's subject without the attacker proving possession of the required key.SubjectConfirmationMethod is not one of the standard SAML 1.1 trio (urn:oasis:names:tc:SAML:1.0:cm:bearer, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key, urn:oasis:names:tc:SAML:1.0:cm:sender-vouches); successful holder-of-key authentications where no KeyInfo element was present in the assertion.KeyInfo elements for holder-of-key confirmation methods.ClaimsPrincipal objects associated with identities that do not correspond to expected users or service accounts, especially in federated authentication flows.The vulnerability is fixed in CoreWCF v1.8.1 and CoreWCF v1.9.1; organizations should upgrade the CoreWCF.Primitives NuGet package to one of these patched versions immediately. As a workaround, services are not vulnerable if no trusted STS in their environment is willing to issue SAML assertions with a non-standard SubjectConfirmationMethod or holder-of-key assertions without KeyInfo — auditing and hardening STS configurations to prevent issuance of such assertions reduces exposure. Organizations should also review their federation binding configurations and restrict accepted token types where possible (GitHub Advisory, CoreWCF Advisory).
The advisory was published by CoreWCF maintainer mconnew on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. No significant broader media coverage, researcher commentary, or notable social media reactions have been identified beyond the official advisory at this time.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."