GHSA-jc6x-rj79-w4mx

Suggest an improvement
Source
https://github.com/advisories/GHSA-jc6x-rj79-w4mx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jc6x-rj79-w4mx/GHSA-jc6x-rj79-w4mx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jc6x-rj79-w4mx
Aliases
  • CVE-2026-54773
Published
2026-06-19T20:46:43Z
Modified
2026-06-19T21:00:16.054426590Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
CoreWCF: WS-Security signature substitution via document-wide Signature lookup
Details

Impact

An unauthenticated remote attacker who can place a SOAP header lexically before wsse:Security can embed a ds:Signature of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header.

Preconditions

Exploitation requires the endpoint be configured with an endorsing supporting token binding, and the attacker constructs a ds:Signature whose KeyInfo resolves through the receive-side token resolver to a key under the attacker’s control. Both are conditions outside the attacker’s direct control on a generic deployment.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Use a security token resolver that only accepts references to issuer-pinned X.509 chains (the default when expecting a static set of signing certificates).

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:46:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-347"
    ]
}
References

Affected packages

NuGet / CoreWCF.Primitives

Package

Name
CoreWCF.Primitives
View open source insights on deps.dev
Purl
pkg:nuget/CoreWCF.Primitives

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.1

Affected versions

0.*
0.1.0-preview
0.1.0-preview-2
0.1.0
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.4.0
1.*
1.0.0-preview1
1.0.0-preview2
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0-preview1
1.4.0
1.4.1
1.4.2
1.5.0-preview1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jc6x-rj79-w4mx/GHSA-jc6x-rj79-w4mx.json"

NuGet / CoreWCF.Primitives

Package

Name
CoreWCF.Primitives
View open source insights on deps.dev
Purl
pkg:nuget/CoreWCF.Primitives

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.9.0
Fixed
1.9.1

Affected versions

1.*
1.9.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jc6x-rj79-w4mx/GHSA-jc6x-rj79-w4mx.json"