CVE-2026-54774
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, SamlSerializer skips
CVSS
7.4
High
EPSS
0.1%
p5
KEV
—
Exploit Today
1
0-100
Published: Jul 8, 2026 · Last modified: Jul 10, 2026 · CWE-345 · CWE-347
0.1%EPSS · 30 days0.1%
2026-07-092026-07-17
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, SamlSerializer skips final SignatureValue verification when a CoreWCF service validates SAML tokens using a non-X.509 signing token, allowing an attacker to reference a non-X.509 SecurityToken key identifier and bypass assertion signature verification. This issue is fixed in versions 1.8.1 and 1.9.1.
- github.comhttps://github.com/CoreWCF/CoreWCF/commit/65d09022749854ba943e376aefb958dec05b00d8
- github.comhttps://github.com/CoreWCF/CoreWCF/commit/b914495ce63c44924664643b60a262e7595081a4
- github.comhttps://github.com/CoreWCF/CoreWCF/commit/e7454132876ecc7e2cf80e541a44376eeb54979b
- github.comhttps://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
- github.comhttps://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
- github.comhttps://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-rpj7-hr7h-w6p9
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-4855810.0 CRI63.6%
KEV—69SimpleHelp Authentication Bypass Vulnerability17dCVE-2026-403729.1 CRI95.5%
——29Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.3dCVE-2026-290009.1 CRI92.4%
——28pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.3dCVE-2026-54733—56.1%
——17The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin local_o365 Teams SSO endpoint sso_login.php base64-decodes a JWT payload and authenticates users from the upn claim without verifying the JWT signature, allowing an unauthenticated attacker to forge a token and obtain a Moodle session as an O365-authenticated user. This issue is fixed in versions 4.5.6, 5.0.5, and 5.1.1.1dCVE-2026-33387.5 HIG51.8%
——16Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.3dCVE-2026-279629.1 CRI42.2%
——13Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.3d