Home

Description

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service hosted on Unix Domain Sockets with PosixIdentity client credentials can accept connections that skip the application/unixposix stream upgrade before dispatching messages, bypassing framing-layer identity checks in UnixPosixIdentitySecurityUpgradeProvider. This issue is fixed in versions 1.8.1 and 1.9.1.

PUBLISHED Reserved 2026-06-15 | Published 2026-07-08 | Updated 2026-07-09 | Assigner GitHub_M




MEDIUM: 4.4CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-306: Missing Authentication for Critical Function

Product status

>= 1.9.0, < 1.9.1
affected

< 1.8.1
affected

References

github.com/...oreWCF/security/advisories/GHSA-wjpq-6766-7f5j

github.com/...ommit/994431268e3362c0cd126450fe2a135c202551f3

github.com/...ommit/9af16955e51a57348dafce0019e259a092ef7440

github.com/...ommit/f2f1a05927a88b8a75fa0582fa8ed75eb891e463

github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1

github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1

cve.org (CVE-2026-54776)

nvd.nist.gov (CVE-2026-54776)

Download JSON