CVE-2026-54782
C# Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-54782 is a critical authentication bypass vulnerability in CoreWCF's SAML 1.1 and SAML 2.0 token signature validation, allowing unauthenticated remote attackers to fully impersonate any principal the trusted Security Token Service (STS) could have issued an assertion for. It affects the CoreWCF.Primitives NuGet package versions 1.8.0 and 1.9.0. The advisory was published on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory, CoreWCF Advisory).

Détails techniques

The root cause is improper verification of cryptographic signatures on SAML tokens (CWE-347) combined with authentication bypass by spoofing (CWE-290). The flaw exists in the FederatedSecurityTokenManager used when a relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding and IdentityConfiguration is wired (UseIdentityConfiguration = true). An attacker who can reach the service over the network and knows the trusted STS's public certificate — which is by design publicly discoverable — can craft or replay a forged SAML assertion that bypasses signature validation, enabling full principal impersonation without any credentials (GitHub Advisory, CoreWCF Advisory).

Impact

Successful exploitation enables full impersonation of any principal the trusted STS could have issued an assertion for, including administrative principals when the relying party grants elevated privileges via SAML claims. This results in high confidentiality and integrity impact across the affected service and potentially any downstream resources accessible to the impersonated identity, with scope change indicating impact beyond the vulnerable component itself. An attacker could gain unauthorized administrative access, exfiltrate sensitive data, modify application state, or use the compromised identity for lateral movement within the environment (GitHub Advisory, CoreWCF Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify services hosted with CoreWCF using WSFederationHttpBinding or WS2007FederationHttpBinding with UseIdentityConfiguration = true. This can be done by inspecting WSDL/metadata endpoints or service discovery.
  2. Obtain STS public certificate: Retrieve the trusted STS's public certificate from its federation metadata endpoint (e.g., https://<sts-host>/FederationMetadata/2007-06/FederationMetadata.xml), which is publicly accessible by design.
  3. Craft forged SAML assertion: Construct a SAML 1.1 or SAML 2.0 assertion claiming the identity of a high-privileged principal (e.g., an administrator). Due to the signature validation flaw, the assertion does not need to be validly signed by the STS's private key.
  4. Submit forged token: Send a WS-Federation request to the vulnerable CoreWCF service endpoint, embedding the forged SAML assertion in the security header of the SOAP message.
  5. Achieve impersonation: The service's FederatedSecurityTokenManager fails to properly verify the cryptographic signature, accepts the forged assertion, and grants the attacker the identity and privileges of the impersonated principal (GitHub Advisory, CoreWCF Advisory).

Indicateurs de compromis

  • Network: Unexpected or anomalous SOAP/WS-Federation requests to CoreWCF service endpoints from unknown or untrusted source IPs; requests containing SAML assertions not originating from the legitimate STS infrastructure.
  • Logs: Service authentication logs showing successful logins for high-privileged or administrative accounts at unusual times or from unexpected IP addresses; absence of corresponding STS-side token issuance events for authenticated sessions.
  • Application: SAML assertions in request logs where the issuer or signature does not match the expected STS; repeated access attempts using different claimed principal identities from the same source.
  • Process/Behavior: Unusual administrative actions performed by accounts that have no corresponding legitimate user activity, particularly shortly after service endpoint access from external IPs (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade CoreWCF.Primitives to version 1.8.1 (if on the 1.8.x branch) or 1.9.1 (if on the 1.9.x branch). The advisory explicitly states there are no workarounds available, making patching the only remediation. Organizations should prioritize this update immediately, especially for services exposed to untrusted networks or hosting sensitive data (GitHub Advisory, CoreWCF Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté C# Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54782CRITICAL10
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54784HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54783HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54781HIGH7.4
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026
CVE-2026-54780LOW3.7
  • C# logoC#
  • CoreWCF.Primitives
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités