Release Notes
Package Info
CoreWCF.ConfigurationManager 1.8.1
CoreWCF.Http 1.8.1
CoreWCF.Kafka 1.8.1
CoreWCF.Kafka.Client 1.8.1
CoreWCF.MSMQ 1.8.1
CoreWCF.NetFramingBase 1.8.1
CoreWCF.NetNamedPipe 1.8.1-preview.1
CoreWCF.NetTcp 1.8.1
CoreWCF.Primitives 1.8.1
CoreWCF.Queue 1.8.1
CoreWCF.RabbitMQ 1.8.1
CoreWCF.RabbitMQ.Client 1.8.1
CoreWCF.Templates 1.8.1
CoreWCF.UnixDomainSocket 1.8.1
CoreWCF.WebHttp 1.8.1
.NET Compatibility
This release depends on .NET Standard 2.0 and runs on any .NET version which supports .NET Standard 2.0. This release supports .NET Framework 4.6.2 and above, .NET 8, and .NET 9. It has also been tested against .NET 10 and there are currently no known issues. It is built on top of ASP.NET Core and has been tested and runs on all currently supported versions of ASP.NET Core up to 9.0. The CoreWCF.RabbitMQ.Client, CoreWCF.Kafka.Client, and CoreWCF.UnixDomainSocket packages only support .NET 8 or later.
What's Changed
Security Fixes
This is a servicing release that addresses multiple security vulnerabilities. For full details, affected versions, and recommended mitigations, see each advisory linked below.
- CVE-2026-54782 / GHSA-xjr9-gg9q-jx3v — Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
- CVE-2026-54774 / GHSA-rpj7-hr7h-w6p9 — SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate
- CVE-2026-54781 / GHSA-48pq-2xq3-c2m4 — SAML SubjectConfirmation methods and holder-of-key proof keys are not enforced
- CVE-2026-54779 / GHSA-9jr3-rj99-8jq3 — SAML token replay protection is inoperative
- CVE-2026-54780 / GHSA-4v55-cpmv-3vcm — WS-Security Reference DigestMethod Algorithm-Suite Bypass
- CVE-2026-54773 / GHSA-jc6x-rj79-w4mx — WS-Security signature substitution via document-wide Signature lookup
- CVE-2026-54783 / GHSA-gqv6-pwcg-87r8 — XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages
- CVE-2026-54772 / GHSA-p86g-xrr2-pf7c — Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake
- CVE-2026-54777 / GHSA-6jj2-4q5c-x8g6 — CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance
- CVE-2026-54776 / GHSA-wjpq-6766-7f5j — Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade
- CVE-2026-54778 / GHSA-q6v9-43v5-jv9q — UnixDomainSocket Non-Reentrant POSIX Identity Resolution
- CVE-2026-54775 / GHSA-m744-jhq9-ppw6 — Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service
Feedback
Your feedback is important and appreciated. Please use the discussion #1738 for your questions and comments.
Full Changelog: v1.8.0...v1.8.1