CVE-2026-54783: 
C# 脆弱性の分析と軽減

CVE-2026-54783 is an XML Signature Wrapping vulnerability in CoreWCF's WS-Security endorsing/supporting signature verification that allows replay of captured signed SOAP messages. It affects the CoreWCF.Primitives NuGet package versions 1.8.0 and 1.9.0. The vulnerability was published by maintainer mconnew on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.4 (High) (GitHub Advisory, CoreWCF Advisory).

The root cause is an XML Signature Wrapping (XSW) flaw in how CoreWCF verifies WS-Security endorsing and supporting signatures, classified under CWE-294 (Authentication Bypass by Capture-replay), CWE-345 (Insufficient Verification of Data Authenticity), and CWE-347 (Improper Verification of Cryptographic Signature). An attacker who captures a single legitimately signed SOAP envelope can replay it — with a freshly generated timestamp in the wsse:Security header — to impersonate the original victim. The replay-detection logic (DetectReplays) only inspects the timestamp field, which the attacker replaces, so it fails to detect the attack. There is no rate limiting on replays, meaning the attacker can invoke arbitrary service operations as the victim for the entire lifetime of the captured signing key (GitHub Advisory, CoreWCF Advisory).

A successful exploit allows an attacker to impersonate a legitimate victim principal and invoke arbitrary operations on the affected CoreWCF service with no privileges of their own. The impact includes high confidentiality loss (access to data the victim is authorized to retrieve) and high integrity loss (ability to submit unauthorized transactions or modifications on behalf of the victim). Availability is not directly impacted, but the persistent nature of the attack — lasting for the lifetime of the captured signing key with no replay rate limit — makes it particularly severe for services handling sensitive business logic or data (GitHub Advisory).

1. Capture a signed SOAP envelope: Position on the network path between a legitimate client and the CoreWCF service (e.g., via ARP spoofing, rogue Wi-Fi, or access to unencrypted traffic) and capture a valid signed SOAP message from a victim client.
2. Extract the signed envelope: Parse the captured SOAP message to obtain the wsse:Security header containing the victim's XML digital signature and signing key reference.
3. Craft a replay message: Construct a new SOAP envelope using the captured signature elements, but replace the wsu:Timestamp in the wsse:Security header with a fresh, current timestamp to bypass the DetectReplays check.
4. Replay the message: Send the crafted SOAP envelope to the CoreWCF service endpoint. The service accepts the message as authentic because the signature validates and the timestamp appears fresh.
5. Invoke arbitrary operations: Repeat the replay (with updated timestamps) to invoke any service operation the victim is authorized to perform, for as long as the captured signing key remains valid — with no rate limiting enforced by the service (GitHub Advisory, CoreWCF Advisory).

• Network: Repeated SOAP requests to the same service endpoint from an IP address that differs from the legitimate client, carrying identical or structurally similar wsse:Security signature blocks but with updated timestamps.
• Network: Unusual volume of authenticated SOAP requests from unexpected source IPs or at unusual times, particularly if the signing key is associated with a single known client.
• Logs: Service-side logs showing multiple successful authenticated requests attributed to the same victim principal from different source addresses or in rapid succession.
• Logs: Absence of corresponding client-side activity logs for operations recorded on the server side, indicating the client did not originate those requests.
• Application: Operations invoked on the service that are inconsistent with the victim's normal usage patterns, such as bulk data retrieval or unauthorized data modifications (GitHub Advisory).

The primary remediation is to upgrade CoreWCF.Primitives to version 1.8.1 (for the 1.8.x branch) or 1.9.1 (for the 1.9.x branch), which contain the fix for this vulnerability. As an interim workaround, ensure all communication between clients and the CoreWCF service is protected by SSL/TLS, which prevents an attacker from capturing signed SOAP envelopes in the first place. Note that enabling the DetectReplays setting on transport-security bindings does not mitigate this issue and should not be relied upon as a compensating control (GitHub Advisory, CoreWCF Advisory).