
PEACH
Un cadre d’isolation des locataires
CVE-2026-54782 is a critical authentication bypass vulnerability in CoreWCF's SAML 1.1 and SAML 2.0 token signature validation, allowing unauthenticated remote attackers to fully impersonate any principal the trusted Security Token Service (STS) could have issued an assertion for. It affects the CoreWCF.Primitives NuGet package versions 1.8.0 and 1.9.0. The advisory was published on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory, CoreWCF Advisory).
The root cause is improper verification of cryptographic signatures on SAML tokens (CWE-347) combined with authentication bypass by spoofing (CWE-290). The flaw exists in the FederatedSecurityTokenManager used when a relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding and IdentityConfiguration is wired (UseIdentityConfiguration = true). An attacker who can reach the service over the network and knows the trusted STS's public certificate — which is by design publicly discoverable — can craft or replay a forged SAML assertion that bypasses signature validation, enabling full principal impersonation without any credentials (GitHub Advisory, CoreWCF Advisory).
Successful exploitation enables full impersonation of any principal the trusted STS could have issued an assertion for, including administrative principals when the relying party grants elevated privileges via SAML claims. This results in high confidentiality and integrity impact across the affected service and potentially any downstream resources accessible to the impersonated identity, with scope change indicating impact beyond the vulnerable component itself. An attacker could gain unauthorized administrative access, exfiltrate sensitive data, modify application state, or use the compromised identity for lateral movement within the environment (GitHub Advisory, CoreWCF Advisory).
WSFederationHttpBinding or WS2007FederationHttpBinding with UseIdentityConfiguration = true. This can be done by inspecting WSDL/metadata endpoints or service discovery.https://<sts-host>/FederationMetadata/2007-06/FederationMetadata.xml), which is publicly accessible by design.FederatedSecurityTokenManager fails to properly verify the cryptographic signature, accepts the forged assertion, and grants the attacker the identity and privileges of the impersonated principal (GitHub Advisory, CoreWCF Advisory).Upgrade CoreWCF.Primitives to version 1.8.1 (if on the 1.8.x branch) or 1.9.1 (if on the 1.9.x branch). The advisory explicitly states there are no workarounds available, making patching the only remediation. Organizations should prioritize this update immediately, especially for services exposed to untrusted networks or hosting sensitive data (GitHub Advisory, CoreWCF Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."