CoreWCF.Primitives Security Vulnerability: Impersonation via TransportWithMessageCredential and WS-SecureConversation

A security vulnerability in CoreWCF.Primitives allows impersonation of authenticated Windows principals when using TransportWithMessageCredential with Windows client credentials and WS-SecureConversation sessions.

Applications using CoreWCF with security mode TransportWithMessageCredential, client credential type Windows, and session establishment (WS-SecureConversation).

Upgrade to CoreWCF v1.9.1 or ensure communication is protected by SSL/TLS to prevent capturing of SCT negotiation handshake.