CVE-2026-54784
Received
Received - Intake
CoreWCF SPNEGO SecurityContextToken Proof Key Exposure
Vulnerability report for CVE-2026-54784, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: GitHub, Inc.
Description
Description
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. In version 1.9.0, CoreWCF SPNEGO SecurityContextToken negotiation can expose the proof key recovered from the RSTR when TransportWithMessageCredential with Windows client credentials and session establishment are used, allowing an observer to impersonate the authenticated Windows principal and decrypt or forge WS-SecureConversation traffic. This issue is fixed in version 1.9.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| corewcf | corewcf | to 1.9.1 (exc) |
| corewcf | corewcf | 1.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-523 | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |