CVE-2026-54782
Published:June 19, 2026
Updated:June 21, 2026
Impact Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0. Preconditions Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable). Patches Fixed in CoreWCF v1.8.1 and v1.9.1 Workarounds None
Affected Packages
corewcf.primitives (DOT_NET):
Affected version(s) >=0.1.0.8 <1.8.1Fix Suggestion:
Update to version 1.8.1https://github.com/CoreWCF/CoreWCF.git (GITHUB):
Affected version(s) =v1.9.0 <v1.9.1Fix Suggestion:
Update to version v1.9.1https://github.com/CoreWCF/CoreWCF.git (GITHUB):
Affected version(s) >=v0.3.0 <v1.8.1Fix Suggestion:
Update to version v1.8.1corewcf.primitives (NUGET):
Affected version(s) =1.9.0 <1.9.1Fix Suggestion:
Update to version 1.9.1corewcf.primitives (NUGET):
Affected version(s) >=0.1.0-preview <1.8.1Fix Suggestion:
Update to version 1.8.1Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE