Detect CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) in Splunk
CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("WinEventLog:Application", "iis", "wineventlog", "dotnet:applog", "xmlsyslog")
| where match(_raw, "(?i)(CoreWCF|System\.ServiceModel|SAML|WSTrust|STS|assertion|token)")
| eval saml_bypass_indicator=if(
match(_raw, "(?i)(signature.*invalid|unsigned.*assertion|token.*bypass|auth.*skip|SAML.*fail|SecurityTokenValidationException)"),
1, 0
)
| eval exploit_indicator=if(
match(_raw, "(?i)(anonymous.*access|unauthenticated.*call|bypass.*auth|forged.*token)"),
1, 0
)
| eval risk_score=case(
saml_bypass_indicator=1 AND exploit_indicator=1, 100,
saml_bypass_indicator=1, 75,
exploit_indicator=1, 60,
true(), 30
)
| where risk_score >= 60
| stats count AS event_count, max(risk_score) AS max_risk, values(host) AS affected_hosts, values(source) AS log_sources, earliest(_time) AS first_seen, latest(_time) AS last_seen BY src_ip, user
| sort - max_risk
| table src_ip, user, event_count, max_risk, affected_hosts, log_sources, first_seen, last_seenSearches application and IIS logs for CoreWCF/SAML token signature validation failures, unsigned assertion acceptance, or anonymous access anomalies indicative of CVE-2026-54782 exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Misconfigured SAML relying-party trust settings producing benign signature errors during SSO setup
- Load balancer health checks against WCF endpoints appearing as anonymous access
- Development/test environments running pre-1.8.1 CoreWCF without authentication requirements
Other platforms for CVE-2026-54782
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint
Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted
- Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint
Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log
- Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC
Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault
Unlock Pro Content
Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.