GHSA-jc6x-rj79-w4mxMediumCVSS 5.9

CoreWCF: WS-Security signature substitution via document-wide Signature lookup

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

An unauthenticated remote attacker who can place a SOAP header lexically before wsse:Security can embed a ds:Signature of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header.

Preconditions

Exploitation requires the endpoint be configured with an endorsing supporting token binding, and the attacker constructs a ds:Signature whose KeyInfo resolves through the receive-side token resolver to a key under the attacker’s control. Both are conditions outside the attacker’s direct control on a generic deployment.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Use a security token resolver that only accepts references to issuer-pinned X.509 chains (the default when expecting a static set of signing certificates).

🎯 Affected products2

  • nuget/CoreWCF.Primitives:< 1.8.1
  • nuget/CoreWCF.Primitives:>= 1.9.0, < 1.9.1

🔗 References (2)