CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782)
CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- nuget
- Product
- CoreWCF.Primitives
- Versions
- < 1.8.1, >= 1.9.0, < 1.9.1
Timeline
- Disclosed
- June 19, 2026
What is CVE-2026-54782 CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782)?
CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) (CVE-2026-54782) maps to the Initial Access and Privilege Escalation and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Active Directory, Microsoft Sentinel AuditLogs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union DeviceNetworkEvents, DeviceProcessEvents, AuditLogs
| where TimeGenerated > ago(24h)
| where (
(ActionType == "ConnectionSuccess" and RemotePort in (80, 443, 808, 9000))
or (OperationName has "WCF" and ResultDescription has_any ("SAML", "token", "assertion"))
or (ProcessCommandLine has_any ("CoreWCF", "System.ServiceModel"))
)
| extend SamlIndicator = iff(
OperationName has "SAML" or InitiatedBy has "SAML" or AdditionalDetails has "assertion",
true, false
)
| where SamlIndicator == true
or (ActionType == "ConnectionSuccess" and isnotempty(RemoteUrl) and RemoteUrl matches regex @"(?i)(saml|wstrust|sts|adfs)")
| extend RiskScore = case(
SamlIndicator == true and ResultDescription has "bypass", 100,
SamlIndicator == true and ResultDescription has_any ("unauthenticated", "anonymous"), 90,
SamlIndicator == true, 70,
50
)
| project TimeGenerated, DeviceName, AccountName, ActionType, OperationName, ResultDescription, RemoteUrl, RiskScore, AdditionalDetails
| sort by RiskScore desc, TimeGenerated descDetects potential exploitation of CVE-2026-54782 by correlating WCF/SAML-related network connections, process activity, and Azure AD audit events indicating SAML assertion usage on CoreWCF endpoints. High-fidelity when paired with application logs exposing SAML token processing errors.
Data Sources
Required Tables
False Positives
- Legitimate SAML-based authentication flows against WCF services in enterprise SSO environments
- Penetration testing or red team exercises against .NET WCF endpoints
- Security scanners (Qualys, Nessus, Tenable) probing SAML endpoints during scheduled assessments
Sigma rule & cross-platform mapping
The detection logic for CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) (CVE-2026-54782) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-54782
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint
Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted
- Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint
Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log
- Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC
Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault
Unlock Pro Content
Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.