Detect CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) in Google Chronicle
CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_54782_corewcf_saml_bypass {
meta:
author = "df00tech"
description = "Detects CVE-2026-54782 CoreWCF SAML authentication bypass attempts"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v"
events:
(
$e1.metadata.event_type = "NETWORK_HTTP"
and (
re.regex($e1.network.http.request_url, `(?i)(saml|wstrust|sts|assertion)`) or
re.regex($e1.target.url, `(?i)(saml|wstrust|sts)`)
)
and $e1.target.port in (80, 443, 808, 8080, 9000)
)
or
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e1.target.process.command_line, `(?i)(CoreWCF|System\.ServiceModel)`) or
$e1.target.process.file.full_path = /w3wp\.exe/ or
$e1.target.process.file.full_path = /dotnet\.exe/
)
)
or
(
$e1.metadata.event_type = "GENERIC_EVENT"
and re.regex($e1.metadata.description, `(?i)(SAML|CoreWCF|assertion|WSTrust)`)
and re.regex($e1.metadata.description, `(?i)(bypass|invalid signature|unsigned|unauthenticated|SecurityTokenValidation)`)
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting CVE-2026-54782 exploitation via HTTP requests to SAML/WSTrust paths on WCF ports, CoreWCF process launches, or application log events indicating SAML signature bypass.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SAML-based SSO authentication traffic to enterprise WCF services
- Security tooling performing SAML endpoint discovery during authorized assessments
- Development pipelines building and testing CoreWCF projects with SAML authentication
Other platforms for CVE-2026-54782
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint
Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted
- Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint
Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log
- Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC
Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault
Unlock Pro Content
Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.