CVE-2026-54780: CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass

June 19, 2026

CoreWCF’s WS-Security 1.0 receive pipeline validates the SignatureMethod of an incoming ds:SignedInfo against the configured SecurityAlgorithmSuite, but does not validate the DigestMethod declared on each ds:Reference. As a result, a sender can populate ds:SignedInfo with SignatureMethod values the suite accepts (for example rsa-sha256 under Basic256Sha256) while declaring a per-reference DigestMethod the suite rejects (for example http://www.w3.org/2000/09/xmldsig#sha1). The signature is then verified where it permits SHA-1 digests, and the message is accepted.

References

github.com/CoreWCF/CoreWCF/security/advisories/GHSA-4v55-cpmv-3vcm
github.com/advisories/GHSA-4v55-cpmv-3vcm
nvd.nist.gov/vuln/detail/CVE-2026-54780

Code Behaviors & Features

Detect and mitigate CVE-2026-54780 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →