Description
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. In version 1.9.0, CoreWCF SPNEGO SecurityContextToken negotiation can expose the proof key recovered from the RSTR when TransportWithMessageCredential with Windows client credentials and session establishment are used, allowing an observer to impersonate the authenticated Windows principal and decrypt or forge WS-SecureConversation traffic. This issue is fixed in version 1.9.1.
Published: 2026-07-08
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2288-8h3r-cqgg CoreWCF: SPNEGO SecurityContextToken proof key wrapped without confidentiality
History

Wed, 08 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Corewcf
Corewcf corewcf
Vendors & Products Corewcf
Corewcf corewcf

Wed, 08 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
Description CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. In version 1.9.0, CoreWCF SPNEGO SecurityContextToken negotiation can expose the proof key recovered from the RSTR when TransportWithMessageCredential with Windows client credentials and session establishment are used, allowing an observer to impersonate the authenticated Windows principal and decrypt or forge WS-SecureConversation traffic. This issue is fixed in version 1.9.1.
Title CoreWCF: SPNEGO SecurityContextToken proof key wrapped without confidentiality
Weaknesses CWE-311
CWE-523
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T22:18:13.846Z

Reserved: 2026-06-15T23:23:57.714Z

Link: CVE-2026-54784

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T23:30:10Z

Weaknesses
  • CWE-311

    Missing Encryption of Sensitive Data

  • CWE-523

    Unprotected Transport of Credentials