CVE-2026-54782 Elastic Security · Elastic

Detect CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) in Elastic Security

CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, user.name with maxspan=5m
  [network where network.protocol in ("http", "https") and
   destination.port in (80, 443, 808, 8080, 9000) and
   url.path like~ "*saml*" or url.path like~ "*wstrust*" or url.path like~ "*sts*"]
  [process where process.name in ("w3wp.exe", "dotnet.exe") and
   process.args like~ "*CoreWCF*" or process.args like~ "*System.ServiceModel*"]
  [any where event.dataset == "windows.application" and
   message like~ "*SAML*" and
   (message like~ "*bypass*" or message like~ "*invalid signature*" or message like~ "*unsigned*")]
critical severity medium confidence

EQL sequence detection correlating inbound SAML-path HTTP requests to a CoreWCF .NET worker process followed by an application log event indicating signature validation failure or bypass, all within a 5-minute window.

Data Sources

Elastic EndpointWindows Event Logs via Elastic AgentIIS via Filebeat

Required Tables

logs-network.*logs-windows.application-*metrics-system.*

False Positives & Tuning

  • Legitimate federated authentication flows generating transient SAML validation warnings
  • Certificate rotation events causing temporary signature verification failures
  • Automated integration tests replaying SAML assertions against WCF test endpoints

Other platforms for CVE-2026-54782

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint

    Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted

  2. Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint

    Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log

  3. Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC

    Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1606.002SAML TokensT1550Use Alternate Authentication MaterialT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections