CVE-2026-54782
CoreWCF · CoreWCF
CoreWCF fails to properly validate SAML token signatures when using federated bindings, allowing unauthenticated attackers to impersonate arbitrary principals.
Executive summary
An authentication bypass in CoreWCF allows unauthenticated remote attackers to impersonate any user, posing a critical risk to identity security.
Vulnerability
The vulnerability stems from the improper resolution of issuer signing keys and the failure to require signed tokens during SAML validation in IdentityConfiguration. This allows an unauthenticated remote attacker to craft malicious tokens that the service will accept as valid, effectively bypassing authentication mechanisms.
Business impact
Successful exploitation allows an attacker to gain unauthorized access to any service protected by the vulnerable CoreWCF implementation. This could result in full account takeover, unauthorized data access, and the ability to perform administrative actions under the guise of an impersonated user. The CVSS score of 10.0 reflects the critical nature of this identity-based compromise.
Remediation
Immediate Action: Upgrade CoreWCF to version 1.8.1 or 1.9.1 depending on your current deployment branch.
Proactive Monitoring: Monitor authentication and authorization logs for anomalous spikes in authentication requests or service access from unknown or unexpected identity providers.
Compensating Controls: If patching is delayed, restrict access to the affected services via network-level controls such as IP whitelisting or VPN-only access to minimize the attack surface.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This is a critical authentication bypass that must be remediated immediately. Ensure all federated service endpoints are updated to the fixed versions to restore secure token validation and protect against unauthorized impersonation.