Improper Verification of Cryptographic Signature Affecting corewcf.primitives package, versions [1.8.0,1.8.1)[1.9.0,1.9.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-COREWCFPRIMITIVES-17391875
- published21 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
NewCVE-2026-54774 (opens in a new tab)How to fix?
Upgrade CoreWCF.Primitives to version 1.8.1, 1.9.1 or higher.
Overview
CoreWCF.Primitives is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the SamlSerializer.ReadToken path in the SAML assertion parser. An attacker can forge a signed SAML 1.1 assertion by supplying a valid DigestValue and an arbitrary SignatureValue when the assertion is processed with a non-X509 signing token resolved from out-of-band token resolution. The vulnerable branch in SamlSerializer verifies only SignedInfo for non-X509 tokens, so the XML-DSig SignatureValue is never checked. In deployments that accept symmetric or other non-X509 issuer tokens, this lets an attacker get a forged assertion accepted as valid and impersonate a chosen subject or role.