VYPR
Vypr IntelligenceAI-generatedJun 19, 2026· 13 CVEs

CoreWCF: 13 CVEs Disclosed in a Single Day — Critical SAML Bypass and WS-Security Flaws

CoreWCF disclosed 13 vulnerabilities on June 19, including a critical SAML authentication bypass and seven high-severity flaws spanning WS-Security, transport bindings, and denial of service.

Key findings

  • 13 CVEs disclosed together on 2026-06-19, one critical (CVE-2026-54782) and seven high-severity
  • Critical SAML authentication bypass allows full impersonation of any STS-issued principal
  • WS-Security signature substitution (CVE-2026-54773) and SPNEGO key confidentiality gap (CVE-2026-54784)
  • Pre-authentication CPU exhaustion (CVE-2026-54772) via net.tcp/net.pipe/net.uds handshake
  • All bugs fixed in CoreWCF v1.8.1 and v1.9.1
  • Kafka tombstone record can permanently halt consume pump (CVE-2026-54775)

CoreWCF: 13 CVEs Disclosed in a Single Day — SAML, WS-Security, and Transport Flaws

On 2026-06-19, the CoreWCF project released security advisories for 13 distinct vulnerabilities spanning SAML token validation, WS-Security signature processing, and transport-layer identity enforcement. The batch includes one critical-severity bug, seven high-severity issues, and several medium/low findings. Together they affect every deployment of CoreWCF, the .NET Core port of Windows Communication Foundation (WCF).

SAML Token Validation — Critical and High-Risk Gaps

The most severe flaw is CVE-2026-54782 (CVSS 9.8, critical), an authentication bypass in SAML 1.1 and 2.0 token signature validation. An attacker who can obtain a SAML assertion from a trusted STS can impersonate any principal the STS could have issued for — including administrative users — when the relying party uses WSFederationHttpBinding or WS2007FederationHttpBinding. No signature verification is effectively performed.

Three additional high-severity SAML bugs compound the risk:

  • CVE-2026-54781 — SubjectConfirmation methods and holder-of-key proof keys are not enforced, allowing a holder-of-key downgrade or bearer-style misuse.
  • CVE-2026-54774SamlSerializer skips SignatureValue verification when the signing token is not an X.509 certificate, breaking any non-X.509 trust path.
  • CVE-2026-54779 — SAML token replay protection (DetectReplayedTokens) is inoperative; a token can be replayed without detection.

WS-Security Signature and Encryption Weaknesses

Four CVEs target the WS-Security 1.0 pipeline:

  • CVE-2026-54773 — Signature substitution via document-wide ds:Signature lookup. An unauthenticated attacker who can place a SOAP header before wsse:Security can inject their own signature, causing the server to verify the wrong one.
  • CVE-2026-54783 — XML Signature Wrapping in endorsing/supporting signatures allows replay of captured signed SOAP envelopes. With one captured message, an attacker can invoke arbitrary operations as the victim for the lifetime of the signing key.
  • CVE-2026-54784 — The SPNEGO SecurityContextToken proof key is wrapped without confidentiality, enabling a network observer to impersonate the authenticated Windows principal for the SCT lifetime (~10 hours).
  • CVE-2026-54780 — The DigestMethod algorithm is not validated against the configured SecurityAlgorithmSuite, allowing a sender to bypass suite restrictions (rated low severity).

Transport-Layer Issues — Named Pipes, Unix Sockets, and Kafka

Four CVEs affect transport bindings:

  • CVE-2026-54777 — NetNamedPipe transport accepts attachment to a pre-existing named pipe instance, allowing local interception of traffic.
  • CVE-2026-54776 — Unix Domain Socket PosixIdentity transport accepts connections that skip the required security upgrade, bypassing authentication.
  • CVE-2026-54778 — Race condition in POSIX peer identity resolution (getpwuid/getgrgid non-reentrancy) may attribute one connection's identity to another or crash the host process.
  • CVE-2026-54775 — A Kafka tombstone (null-value record) permanently halts the consume pump, causing persistent endpoint denial of service.

Pre-Authentication CPU Exhaustion

CVE-2026-54772 (high severity) describes an infinite-loop CPU exhaustion in the net.tcp / net.pipe / net.uds framing handshake. An unauthenticated remote attacker can pin one server thread-pool worker at 100% CPU per connection; a few connections can exhaust the host.

Patch Status and Mitigations

All 13 CVEs are fixed in CoreWCF v1.8.1 and v1.9.1. Users running any earlier version should upgrade immediately. For deployments that cannot upgrade immediately, the advisories note workarounds: restricting UDS filesystem permissions for the POSIX identity race, providing a custom ITokenReplayCache for the replay-protection bug, and limiting network access to NetTcpBinding/NetNamedPipeBinding endpoints to mitigate the CPU-exhaustion flaw.

Why This Batch Matters

CoreWCF is widely used in .NET Core environments that require WS-* protocol support, including federated authentication with SAML and WS-SecureConversation. The breadth of this disclosure — spanning authentication, confidentiality, signature validation, and transport security — means that nearly every CoreWCF deployment is affected by at least one of these issues. The critical SAML bypass (CVE-2026-54782) alone should prompt immediate patching for any service using federated bindings. Users should review the CoreWCF security advisories for detailed guidance.

AI-written article. Grounded in 13 CVE records listed below.