Improper Verification of Cryptographic Signature Affecting corewcf.primitives package, versions [1.0.0-preview1,1.8.1)[1.9.0,1.9.1)
Threat Intelligence
This vulnerability is trending on Twitter; this may indicate a growing threat.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-COREWCFPRIMITIVES-17398201
- published22 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
NewCVE-2026-54782 Â (opens in a new tab)How to fix?
Upgrade CoreWCF.Primitives to version 1.8.1, 1.9.1 or higher.
Overview
CoreWCF.Primitives is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the SamlSecurityTokenHandler validation path in CoreWCF.IdentityModel.Tokens. An attacker can forge or tamper with a SAML 1.1/2.0 assertion and have it accepted by supplying a token whose signature is not properly bound to a trusted issuer key. The vulnerable validation flow used a signature validator without resolving the issuer signing key from the assertion’s X.509 material, so signed-token checks were not enforced against the inbound SAML token’s certificate. This allows unauthenticated or attacker-controlled claims to be accepted, leading to forged identities and unauthorized access to protected services.
Notes
- The bypass only applies to the federated issued-token path used by
WSFederationHttpBindingandWS2007FederationHttpBindingwhenUseIdentityConfiguration = true; services that do not route validation throughFederatedSecurityTokenManagerare outside the affected flow. - Impact extends to whatever principal set the trusted STS can assert, including administrative identities if the relying party maps them from SAML claims.