GHSA-xjr9-gg9q-jx3vCriticalCVSS 10.0

CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.

Preconditions

Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable).

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

🎯 Affected products2

  • nuget/CoreWCF.Primitives:< 1.8.1
  • nuget/CoreWCF.Primitives:>= 1.9.0, < 1.9.1

🔗 References (2)