CVE-2026-54783: 
C# Analyse et atténuation des vulnérabilités

CVE-2026-54783 is an XML Signature Wrapping vulnerability in CoreWCF's WS-Security endorsing/supporting signature verification that allows replay of captured signed SOAP messages. It affects the CoreWCF.Primitives NuGet package versions 1.8.0 and 1.9.0 (i.e., versions prior to 1.8.1 and prior to 1.9.1). The vulnerability was published by the CoreWCF maintainer on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.4 (High) (GitHub Advisory, CoreWCF Advisory).

The root cause is an XML Signature Wrapping (XSW) flaw in how CoreWCF verifies WS-Security endorsing and supporting signatures, classified under CWE-294 (Authentication Bypass by Capture-replay), CWE-345 (Insufficient Verification of Data Authenticity), and CWE-347 (Improper Verification of Cryptographic Signature). An attacker who captures a single legitimately signed SOAP envelope can replay it — with a freshly generated timestamp in the wsse:Security header — to impersonate the original victim principal. The replay-detection logic (DetectReplays) only inspects the timestamp field, which the attacker replaces with a fresh value, effectively bypassing the anti-replay mechanism entirely. There is no rate limiting on replays, meaning the attack can be repeated indefinitely for the lifetime of the captured signing key (GitHub Advisory, CoreWCF Advisory).

A successful exploit allows an unauthenticated attacker to invoke arbitrary SOAP operations on the affected service while impersonating a legitimate victim principal, resulting in high confidentiality and integrity impact. The attacker can read sensitive data accessible to the victim's account and perform unauthorized write or transactional operations on the service. Availability is not directly impacted, but the ability to act as any captured principal could enable lateral movement within service-oriented architectures that trust WS-Security identity assertions (GitHub Advisory).

1. Reconnaissance: Identify CoreWCF-based SOAP services running CoreWCF.Primitives versions 1.8.0 or 1.9.0 that use WS-Security message-level signing without mandatory SSL/TLS transport protection.
2. Traffic interception: Position on a network path (e.g., via ARP spoofing, rogue Wi-Fi, or compromised network device) to capture unencrypted SOAP traffic between a legitimate client and the CoreWCF service.
3. Capture signed SOAP envelope: Record a complete signed SOAP message from a victim client, including the wsse:Security header containing the digital signature and the original timestamp.
4. Craft replay message: Modify the captured envelope by replacing the wsu:Timestamp element in the wsse:Security header with a fresh, current timestamp while preserving the original signature over the message body and other signed elements.
5. Replay the message: Transmit the modified SOAP envelope to the target CoreWCF service. The service's replay-detection logic accepts the fresh timestamp as valid and the signature verification passes due to the XSW flaw, granting the attacker access as the victim principal.
6. Invoke arbitrary operations: Repeat the replay (with updated timestamps) as many times as desired for the lifetime of the victim's signing key to perform unauthorized operations on the service (GitHub Advisory, CoreWCF Advisory).

• Network: Repeated SOAP requests from an IP address that does not match the legitimate client's known address, carrying identical message body signatures but differing timestamps in the wsse:Security header.
• Network: Unusual volume of SOAP requests from a single source, particularly if the service does not normally receive high-frequency calls from that endpoint.
• Logs: Service access logs showing the same WS-Security signing key or certificate used across requests originating from multiple or unexpected source IPs.
• Logs: Requests with wsu:Timestamp values that are always near-current but whose message body signatures correspond to a previously observed signed message.
• Application: Operations being invoked under a victim's identity at times inconsistent with that user's normal activity patterns or from unexpected network locations.

Upgrade CoreWCF.Primitives to version 1.8.1 or 1.9.1, which contain the fix for this vulnerability. As an immediate workaround where upgrading is not possible, enforce SSL/TLS transport-layer encryption on all CoreWCF service endpoints to prevent attackers from capturing signed SOAP envelopes in transit. Note that enabling the DetectReplays setting alone does not mitigate this issue, as the attack uses a fresh timestamp that bypasses that check (GitHub Advisory, CoreWCF Advisory).