External risk intelligence

CoreWCF SAML Validation Flaw Allows Impersonation

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-54782

CoreWCF is used to build WCF services on .NET Core, which are frequently deployed as internet-facing APIs, web services, or federated identity endpoints. Because these services are designed to handle authentication and token validation, they are commonly exposed to the public internet to facilitate remote communication and service integration.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in CoreWCF, a component used for building Windows Communication Foundation services on .NET Core. This issue could allow an unauthenticated attacker to impersonate users by improperly validating security tokens. The main concern is confirming relevance and exposure to your deployed services.

  • Attackers could impersonate users.
  • Affects services using specific security token validation.
  • Confirm relevance and exposure to your deployed services.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can impersonate users by exploiting a flaw in how CoreWCF handles SAML tokens. This occurs when using federated bindings with specific IdentityConfiguration settings, as the system may not correctly validate the issuer's signature. Successful exploitation allows the attacker to assume the identity of any user that a trusted Security Token Service (STS) can issue tokens for, leading to significant compromise.

  • No authentication required.
  • Invalid SAML token issuer validation.
  • Impersonate any federated user.

Live Threat

Current exploitation, exposure, and threat context

CoreWCF services using SAML token validation with federated bindings could allow an unauthenticated remote attacker to impersonate users. This occurs when the issuer signing key is not correctly resolved or signed tokens are not required.

  • Service identity and user impersonation.
  • Unauthenticated remote access to service.
  • Compromise of authorized service actions.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for managing CoreWCF, as it's used to build WCF services on .NET Core, often deployed as internet-facing APIs or federated identity endpoints. The first practical step is to identify where CoreWCF is deployed, assess its exposure and criticality, and locate the accountable owner to plan remediation based on risk.

  • Identify CoreWCF deployments and criticality.
  • Verify federated binding configurations.
  • Plan risk-based remediation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is CoreWCF and why is it used?

CoreWCF is a software library that allows developers to port Windows Communication Foundation (WCF) services to .NET Core. It provides the necessary infrastructure for building service-oriented applications, such as web services and APIs, that rely on .NET. Developers use it to maintain compatibility with existing WCF messaging patterns while modernizing their backend infrastructure for cross-platform environments.

What does CVE-2026-54782 mean for token security?

This vulnerability involves an Authentication Bypass by Spoofing (CWE-290) and Improper Verification of Cryptographic Signature (CWE-347). In simple terms, the software fails to correctly check if a SAML security token is legitimate. Because the system does not properly verify the token's issuer or signature, an attacker can trick the service into believing they are a trusted user, effectively bypassing authentication entirely.

How can an attacker trigger this vulnerability?

The flaw is triggered when CoreWCF uses federated bindings in conjunction with specific IdentityConfiguration settings. It is important to note that the vulnerability does not exist if your application does not utilize these specific federated configurations for SAML token validation. If your service uses different authentication methods or standard local configurations, it may not be subject to this particular token validation failure.

Why is this CVE significant for my network?

According to Halo Surface Signal, CoreWCF services are frequently deployed as internet-facing APIs or identity endpoints. Because these services are designed to handle external requests, they are often reachable from the public internet. If your service is internet-facing, it is at higher risk because an unauthenticated attacker can attempt to send malicious tokens remotely without needing prior access to your internal environment.

Do I need to update my software immediately?

Yes, you should prioritize investigating your deployments. Start by identifying which services run CoreWCF and confirm if they use federated bindings with SAML. Once you confirm the usage, coordinate with your engineering teams to update to version 1.8.1 or 1.9.1. These versions contain the necessary logic fixes to properly validate issuer signing keys and enforce mandatory signed tokens.

References