CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass
Package
CoreWCF.Primitives
(NuGet)
Affected versions
< 1.8.1
>= 1.9.0, < 1.9.1
Patched versions
1.8.1
1.9.1
Description
Impact
CoreWCF’s WS-Security 1.0 receive pipeline validates the SignatureMethod of an incoming ds:SignedInfo against the configured SecurityAlgorithmSuite, but does not validate the DigestMethod declared on each ds:Reference. As a result, a sender can populate ds:SignedInfo with SignatureMethod values the suite accepts (for example rsa-sha256 under Basic256Sha256) while declaring a per-reference DigestMethod the suite rejects (for example http://www.w3.org/2000/09/xmldsig#sha1). The signature is then verified where it permits SHA-1 digests, and the message is accepted.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
References
Published to the GitHub Advisory Database
Reviewed
Last updated
Severity
Low
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS score
Weaknesses
CVE ID
CVE-2026-54780
GHSA ID
GHSA-4v55-cpmv-3vcm
Source code
See something to contribute?
Suggest improvements for this vulnerability.