VYPR
advisoryPublished Jun 19, 2026· Updated Jun 20, 2026· 1 source

CoreWCF: 13 CVEs Disclosed in a Single Day — Critical SAML Bypass and WS-Security Flaws

Key findings • 13 CVEs disclosed together on 2026-06-19, one critical (CVE-2026-54782) and seven high-severity • Critical SAML authentication bypass allows full impersonation of any STS-issue…

Key findings

  • 13 CVEs disclosed together on 2026-06-19, one critical (CVE-2026-54782) and seven high-severity
  • Critical SAML authentication bypass allows full impersonation of any STS-issued principal
  • WS-Security signature substitution (CVE-2026-54773) and SPNEGO key confidentiality gap (CVE-2026-54784)
  • Pre-authentication CPU exhaustion (CVE-2026-54772) via net.tcp/net.pipe/net.uds handshake
  • All bugs fixed in CoreWCF v1.8.1 and v1.9.1
  • Kafka tombstone record can permanently halt consume pump (CVE-2026-54775)

CoreWCF: 13 CVEs Disclosed in a Single Day — SAML, WS-Security, and Transport Flaws

On 2026-06-19, the CoreWCF project released security advisories for 13 distinct vulnerabilities spanning SAML token validation, WS-Security signature processing, and transport-layer identity enforcement. The batch includes one critical-severity bug, seven high-severity issues, and several medium/low findings. Together they affect every deployment of CoreWCF, the .NET Core port of Windows Communication Foundation (WCF).

SAML Token Validation — Critical and High-Risk Gaps

The most severe flaw is CVE-2026-54782 (CVSS 9.8, critical), an authentication bypass in SAML 1.1 and 2.0 token signature validation. An attacker who can obtain a SAML assertion from a trusted STS can impersonate any principal the STS could have issued for — including administrative users — when the relying party uses WSFederationHttpBinding or WS2007FederationHttpBinding. No signature verification is effectively performed.

Three additional high-severity SAML bugs compound the risk:

  • CVE-2026-54781 — SubjectConfirmation methods and holder-of-key proof keys are not enforced, allowing a holder-of-key downgrade or bearer-style misuse.
  • CVE-2026-54774SamlSerializer skips SignatureValue verification when the signing token is not an X.509 certificate, breaking any non-X.509 trust path.
  • CVE-2026-54779 — SAML token replay protection (DetectReplayedTokens) is inoperative; a token can be replayed without detection.

WS-Security Signature and Encryption Weaknesses

Four CVEs target the WS-Security 1.0 pipeline:

  • CVE-2026-54773 — Signature substitution via document-wide ds:Signature lookup. An unauthenticated attacker who can place a SOAP header before wsse:Security can inject their own signature, causing the server to verify the wrong one.
  • CVE-2026-54783 — XML Signature Wrapping in endorsing/supporting signatures allows replay of captured signed SOAP envelopes. With one captured message, an attacker can invoke arbitrary operations as the victim for the lifetime of the signing key.
  • CVE-2026-54784 — The SPNEGO SecurityContextToken proof key is wrapped without confidentiality, enabling a network observer to impersonate the authenticated Windows principal for the SCT lifetime (~10 hours).
  • CVE-2026-54780 — The DigestMethod algorithm is not validated against the configured SecurityAlgorithmSuite, allowing a sender to bypass suite restrictions (rated low severity).

Transport-Layer Issues — Named Pipes, Unix Sockets, and Kafka

Four CVEs affect transport bindings:

  • CVE-2026-54777 — NetNamedPipe transport accepts attachment to a pre-existing named pipe instance, allowing local interception of traffic.
  • CVE-2026-54776 — Unix Domain Socket PosixIdentity transport accepts connections that skip the required security upgrade, bypassing authentication.
  • CVE-2026-54778 — Race condition in POSIX peer identity resolution (getpwuid/getgrgid non-reentrancy) may attribute one connection's identity to another or crash the host process.
  • CVE-2026-54775 — A Kafka tombstone (null-value record) permanently halts the consume pump, causing persistent endpoint denial of service.

Pre-Authentication CPU Exhaustion

CVE-2026-54772 (high severity) describes an infinite-loop CPU exhaustion in the net.tcp / net.pipe / net.uds framing handshake. An unauthenticated remote attacker can pin one server thread-pool worker at 100% CPU per connection; a few connections can exhaust the host.

Patch Status and Mitigations

All 13 CVEs are fixed in **CoreWCF v1.8.1 and v1.9.1**. Users running any earlier version should upgrade immediately. For deployments that cannot upgrade immediately, the advisories note workarounds: restricting UDS filesystem permissions for the POSIX identity race, providing a custom ITokenReplayCache for the replay-protection bug, and limiting network access to NetTcpBinding/NetNamedPipeBinding endpoints to mitigate the CPU-exhaustion flaw.

Why This Batch Matters

CoreWCF is widely used in .NET Core environments that require WS-* protocol support, including federated authentication with SAML and WS-SecureConversation. The breadth of this disclosure — spanning authentication, confidentiality, signature validation, and transport security — means that nearly every CoreWCF deployment is affected by at least one of these issues. The critical SAML bypass (CVE-2026-54782) alone should prompt immediate patching for any service using federated bindings. Users should review the CoreWCF security advisories for detailed guidance.

Synthesized by Vypr AI
CoreWCF: 13 CVEs Disclosed in a Single Day — Critical SAML Bypass and WS-Security Flaws · VYPR