CVE-2026-45137
Received Received - Intake
Logic Error in Anchor Framework Allows Arbitrary CPI

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions. In the TryFrom<&'a AccountInfo<'a>> implementation for Program<'a, T>, the id of T is compared with Pubkey::default() to check whether anchor should allow any executable account, or a specific account, because when no T is supplied, T defaults to (), which implements Id::id() by returning Pubkey::default(). This results in T = () and T = System (which has Pubkey::default() as the id) having the same behavior, both allow any executable account. Programs built with anchor assume that the anchor runtime verifies passed in programs of type Program<'a, System> are in fact the system program. This false assumption can lead to arbitrary CPI or payment bypassing when programs try making CPI calls to the system program using the passed in system program due to the fact that the attacker can pass in any program instead of the system program. This vulnerability is fixed in 1.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-45137
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
project_anchor anchor to 1.0.2 (exc)
project_anchor anchor 1.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Anchor framework versions from 1.0.0 to before 1.0.2, which is used for writing Solana programs. A logic error causes Anchor programs to accept any program ID when they require the system program ID. This happens because the implementation compares the ID of a generic type T with a default public key, and both the empty type () and the System program share this default ID behavior. As a result, programs mistakenly allow any executable account instead of strictly the system program.

This false assumption can lead to arbitrary Cross-Program Invocation (CPI) or payment bypassing, since an attacker can pass any program instead of the legitimate system program when the program tries to invoke system program instructions.

The vulnerability was fixed in Anchor version 1.0.2.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to perform arbitrary Cross-Program Invocations (CPI) or bypass payments by passing a malicious program ID instead of the legitimate system program ID. This means that programs relying on Anchor to verify the system program ID may execute unintended or harmful instructions, potentially leading to unauthorized actions or financial loss.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade the Anchor framework to version 1.0.2 or later, where the issue is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart