GHSA-2288-8h3r-cqgg

Suggest an improvement
Source
https://github.com/advisories/GHSA-2288-8h3r-cqgg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2288-8h3r-cqgg/GHSA-2288-8h3r-cqgg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2288-8h3r-cqgg
Aliases
  • CVE-2026-54784
Published
2026-06-19T20:47:17Z
Modified
2026-06-19T21:00:17.437475306Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
CoreWCF: SPNEGO SecurityContextToken proof key wrapped without confidentiality
Details

Impact

When the proof key recovered from the RSTR can be observed by a party that is not the legitimate client, that party can impersonate the authenticated Windows principal for the lifetime of the SCT (default ~10 hours) and decrypt or forge any subsequent WS‑SecureConversation traffic that uses keys derived from the SCT.

Preconditions

Using security mode TransportWithMessageCredential with client credential type Windows, along with session establishment (which triggers use of WS-SecureConversation).

Patches

Fixed in CoreWCF v1.9.1

Workarounds

Ensure communication is protected by SSL/TLS to prevent capturing of SCT negotiation handshake.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:47:17Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-311",
        "CWE-523"
    ]
}
References

Affected packages

NuGet / CoreWCF.Primitives

Package

Name
CoreWCF.Primitives
View open source insights on deps.dev
Purl
pkg:nuget/CoreWCF.Primitives

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.9.0
Fixed
1.9.1

Affected versions

1.*
1.9.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2288-8h3r-cqgg/GHSA-2288-8h3r-cqgg.json"