CVE-2026-54782

CoreWCF · CoreWCF

CoreWCF fails to properly validate SAML token signatures when using federated bindings, allowing unauthenticated attackers to impersonate arbitrary principals.

Executive summary

An authentication bypass in CoreWCF allows unauthenticated remote attackers to impersonate any user, posing a critical risk to identity security.

Vulnerability

The vulnerability stems from the improper resolution of issuer signing keys and the failure to require signed tokens during SAML validation in IdentityConfiguration. This allows an unauthenticated remote attacker to craft malicious tokens that the service will accept as valid, effectively bypassing authentication mechanisms.

Business impact

Successful exploitation allows an attacker to gain unauthorized access to any service protected by the vulnerable CoreWCF implementation. This could result in full account takeover, unauthorized data access, and the ability to perform administrative actions under the guise of an impersonated user. The CVSS score of 10.0 reflects the critical nature of this identity-based compromise.

Remediation

Immediate Action: Upgrade CoreWCF to version 1.8.1 or 1.9.1 depending on your current deployment branch.

Proactive Monitoring: Monitor authentication and authorization logs for anomalous spikes in authentication requests or service access from unknown or unexpected identity providers.

Compensating Controls: If patching is delayed, restrict access to the affected services via network-level controls such as IP whitelisting or VPN-only access to minimize the attack surface.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This is a critical authentication bypass that must be remediated immediately. Ensure all federated service endpoints are updated to the fixed versions to restore secure token validation and protect against unauthorized impersonation.