Improper Verification of Cryptographic Signature Affecting corewcf.primitives package, versions [1.5.0-preview1,1.8.1)[1.9.0, 1.9.1)
Threat Intelligence
This vulnerability is trending on Twitter; this may indicate a growing threat.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-COREWCFPRIMITIVES-17391892
- published21 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
NewCVE-2026-54773 Â (opens in a new tab)How to fix?
Upgrade CoreWCF.Primitives to version 1.8.1, 1.9.1 or higher.
Overview
CoreWCF.Primitives is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the ReadSignatureCore path in WSSecurityOneDotZeroReceiveSecurityHeader. An attacker can get the receiver to validate a ds:Signature from a sibling SOAP header by sending a crafted envelope that places a malicious signature outside wsse:Security while still including a legitimate-looking security header. This lets the attacker make the service accept a signature on attacker-chosen content instead of the intended security header target, causing authenticated message processing to proceed based on the wrong signed data and bypassing the expected WS-Security coverage for the Timestamp or primary signature target.
Note: Exploitation requires the endpoint be configured with an endorsing supporting token binding, and the attacker constructs a ds:Signature whose KeyInfo resolves through the receive-side token resolver to a key under the attacker’s control. Both are conditions outside the attacker’s direct control on a generic deployment.