CVE-2026-54781
C# Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-54781 is a SAML authentication bypass vulnerability in CoreWCF (CoreWCF.Primitives NuGet package) where SAML 1.1 SubjectConfirmation methods and holder-of-key proof keys are not enforced, allowing an attacker to be authenticated as an assertion's subject without proving authority over the assertion. It affects CoreWCF.Primitives versions < 1.8.1 and >= 1.9.0, < 1.9.1 (specifically versions 1.8.0 and 1.9.0). The vulnerability was published on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.4 (High) (GitHub Advisory, CoreWCF Advisory).

Détails techniques

The root cause is classified under CWE-287 (Improper Authentication) and CWE-345 (Insufficient Verification of Data Authenticity): CoreWCF fails to enforce SAML 1.1 SubjectConfirmation method validation and holder-of-key proof key requirements when processing federated tokens. Two distinct exploit shapes exist: (1) Holder-of-key downgrade — an attacker presents a holder-of-key SAML assertion lacking a KeyInfo element (due to an issuer bug, custom STS shape, or captured assertion) and is authenticated without producing the required proof key; (2) Custom-method bypass — an attacker presents an assertion bearing a non-standard confirmation method URI, silently bypassing per-method policies the framework should enforce. Exploitation requires the service to be configured to accept SAML 1.1 tokens via federation (e.g., WS2007FederationHttpBinding, WSFederationHttpBinding, or custom bindings using IssuedSecurityTokenParameters with a SAML 1.1 token type), and the attacker must have obtained at least one signed SAML 1.1 assertion of a triggering shape (GitHub Advisory, CoreWCF Advisory).

Impact

Successful exploitation results in the relying application receiving a ClaimsPrincipal for a subject whose authority over the assertion was never proven, effectively granting an attacker unauthorized authentication as an arbitrary user. This leads to high confidentiality and integrity impact — an attacker can access protected resources and perform actions as the impersonated subject, potentially including privileged operations. Availability is not directly impacted, but the authentication bypass could enable lateral movement within federated service environments or escalation to sensitive business functions (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify services using CoreWCF.Primitives versions 1.8.0 or 1.9.0 that are configured to accept SAML 1.1 tokens via federation bindings such as WS2007FederationHttpBinding or WSFederationHttpBinding.
  2. Obtain a triggering SAML assertion: Acquire a signed SAML 1.1 assertion that either (a) uses the holder-of-key confirmation method but lacks a KeyInfo element (e.g., captured from a session with a buggy STS, or issued by a permissive custom STS), or (b) bears a non-standard/custom SubjectConfirmationMethod URI not in the standard SAML 1.1 trio.
  3. Present the assertion to the target service: Submit the crafted or captured SAML assertion to the vulnerable CoreWCF service endpoint as part of a federated authentication request.
  4. Bypass authentication enforcement: Because CoreWCF does not validate the confirmation method or enforce holder-of-key proof key requirements, the service accepts the assertion and issues a ClaimsPrincipal for the assertion's subject without the attacker proving possession of the required key.
  5. Achieve unauthorized access: The attacker is now authenticated as the assertion's subject and can access protected resources or perform privileged actions on the service (GitHub Advisory, CoreWCF Advisory).

Indicateurs de compromis

  • Logs: Authentication events in service logs showing successful federation authentications where the SAML assertion's SubjectConfirmationMethod is not one of the standard SAML 1.1 trio (urn:oasis:names:tc:SAML:1.0:cm:bearer, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key, urn:oasis:names:tc:SAML:1.0:cm:sender-vouches); successful holder-of-key authentications where no KeyInfo element was present in the assertion.
  • Network: Unexpected or anomalous WS-Federation token requests to CoreWCF service endpoints, particularly from sources not associated with known STS infrastructure; SAML assertions in transit lacking KeyInfo elements for holder-of-key confirmation methods.
  • Application Behavior: Authenticated sessions or ClaimsPrincipal objects associated with identities that do not correspond to expected users or service accounts, especially in federated authentication flows.

Atténuation et solutions de contournement

The vulnerability is fixed in CoreWCF v1.8.1 and CoreWCF v1.9.1; organizations should upgrade the CoreWCF.Primitives NuGet package to one of these patched versions immediately. As a workaround, services are not vulnerable if no trusted STS in their environment is willing to issue SAML assertions with a non-standard SubjectConfirmationMethod or holder-of-key assertions without KeyInfo — auditing and hardening STS configurations to prevent issuance of such assertions reduces exposure. Organizations should also review their federation binding configurations and restrict accepted token types where possible (GitHub Advisory, CoreWCF Advisory).

Réactions de la communauté

The advisory was published by CoreWCF maintainer mconnew on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. No significant broader media coverage, researcher commentary, or notable social media reactions have been identified beyond the official advisory at this time.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté C# Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54782CRITICAL10
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54784HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54783HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54781HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54780LOW3.7
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités