CVE-2026-54782
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
Description
### Impact Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0. #### Preconditions Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable). ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds None
How to fix CVE-2026-54782
To remediate CVE-2026-54782, upgrade the affected package to a fixed version below.
- —upgrade to 1.8.1 or later
Is CVE-2026-54782 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54782.
Affected packages (1)
- from 0, < 1.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |