GHSA-wjpq-6766-7f5j

Suggest an improvement
Source
https://github.com/advisories/GHSA-wjpq-6766-7f5j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wjpq-6766-7f5j/GHSA-wjpq-6766-7f5j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wjpq-6766-7f5j
Aliases
  • CVE-2026-54776
Published
2026-06-19T20:46:52Z
Modified
2026-06-19T21:00:17.170216639Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade
Details

Impact

A CoreWCF service hosted on Unix Domain Sockets with the PosixIdentity client credential type (UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity) does not require the client to perform the application/unixposix stream upgrade before dispatching messages.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

Restrict filesystem access to the UDS socket file using owner/group/mode (e.g. chmod 0660 plus a dedicated group) so that only the POSIX users who are already authorized to invoke the service can connect at all. This makes the missing-upgrade behaviour equivalent to the operating system’s filesystem permissions instead of relying on framing-layer identity checks. Avoid relying on ServiceSecurityContext.PrimaryIdentity for authorization decisions, or back it up with an authentication-required authorization policy that rejects anonymous principals.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:46:52Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-306"
    ]
}
References

Affected packages

NuGet / CoreWCF.UnixDomainSocket

Package

Name
CoreWCF.UnixDomainSocket
View open source insights on deps.dev
Purl
pkg:nuget/CoreWCF.UnixDomainSocket

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.1

Affected versions

1.*
1.5.0-preview1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wjpq-6766-7f5j/GHSA-wjpq-6766-7f5j.json"

NuGet / CoreWCF.UnixDomainSocket

Package

Name
CoreWCF.UnixDomainSocket
View open source insights on deps.dev
Purl
pkg:nuget/CoreWCF.UnixDomainSocket

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.9.0
Fixed
1.9.1

Affected versions

1.*
1.9.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wjpq-6766-7f5j/GHSA-wjpq-6766-7f5j.json"