CVE-2026-54780
Received Received - Intake

WS-Security DigestMethod Validation Bypass in CoreWCF

Vulnerability report for CVE-2026-54780, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, the CoreWCF WS-Security 1.0 receive pipeline validates ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite but does not validate each ds:Reference DigestMethod, allowing a sender to use a rejected digest algorithm such as SHA-1 while the message is still accepted. This issue is fixed in versions 1.8.1 and 1.9.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
corewcf corewcf to 1.8.1 (inc)
corewcf corewcf to 1.9.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-757 A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in CoreWCF, a port of the Windows Communication Foundation to .NET Core. Before versions 1.8.1 and 1.9.1, the WS-Security 1.0 receive pipeline in CoreWCF validates the SignatureMethod used in the ds:SignedInfo element against the configured SecurityAlgorithmSuite. However, it does not validate the DigestMethod used in each ds:Reference element. This means an attacker can use a rejected digest algorithm, such as SHA-1, which is considered weak, and still have the message accepted by the system.

The issue was fixed in CoreWCF versions 1.8.1 and 1.9.1 by adding validation for each ds:Reference DigestMethod.

Impact Analysis

This vulnerability can allow an attacker to send messages signed with weak or deprecated digest algorithms like SHA-1, which may be vulnerable to cryptographic attacks. As a result, the integrity of the messages could be compromised, potentially allowing message tampering or forgery without detection.

However, the CVSS base score is 3.7, indicating a low severity impact with no confidentiality or availability impact, but with a low impact on integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade CoreWCF to version 1.8.1 or 1.9.1 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54780. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart