CVE-2026-45137
Awaiting Analysis Awaiting Analysis - Queue
Logic Error in Anchor Framework Allows Arbitrary CPI

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions. In the TryFrom<&'a AccountInfo<'a>> implementation for Program<'a, T>, the id of T is compared with Pubkey::default() to check whether anchor should allow any executable account, or a specific account, because when no T is supplied, T defaults to (), which implements Id::id() by returning Pubkey::default(). This results in T = () and T = System (which has Pubkey::default() as the id) having the same behavior, both allow any executable account. Programs built with anchor assume that the anchor runtime verifies passed in programs of type Program<'a, System> are in fact the system program. This false assumption can lead to arbitrary CPI or payment bypassing when programs try making CPI calls to the system program using the passed in system program due to the fact that the attacker can pass in any program instead of the system program. This vulnerability is fixed in 1.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45137
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
project_anchor anchor to 1.0.2 (exc)
project_anchor anchor 1.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability arises from improper validation of the system program ID in Anchor framework versions 1.0.0 to before 1.0.2, allowing any executable account to be accepted instead of the system program. Detection involves verifying the version of the Anchor framework used and inspecting programs that invoke the system program for improper CPI calls.

To detect this vulnerability on your system, you should:

  • Check if your Anchor framework version is between 1.0.0 and before 1.0.2, as these versions are vulnerable.
  • Audit Solana programs that perform Cross-Program Invocations (CPI) to the system program to ensure they correctly verify the program ID.
  • Look for suspicious CPI calls where the system program ID might be replaced by another executable account.

Suggested commands or steps include:

  • Use package management commands to check the installed version of anchor-lang, for example, in Rust projects: `cargo tree | grep anchor-lang`.
  • Review program source code or binaries for usage of `Program<'info, System>` and verify if the program ID checks are implemented correctly.
  • Monitor Solana transaction logs for unexpected CPI calls or failures that might indicate exploitation attempts.

Since this vulnerability is specific to the Anchor framework's internal logic, automated detection commands are limited; manual code review and version checks are the primary methods.

Executive Summary

This vulnerability exists in the Anchor framework versions from 1.0.0 to before 1.0.2, which is used for writing Solana programs. A logic error causes Anchor programs to accept any program ID when they require the system program ID. This happens because the implementation compares the ID of a generic type T with a default public key, and both the empty type () and the System program share this default ID behavior. As a result, programs mistakenly allow any executable account instead of strictly the system program.

This false assumption can lead to arbitrary Cross-Program Invocation (CPI) or payment bypassing, since an attacker can pass any program instead of the legitimate system program when the program tries to invoke system program instructions.

The vulnerability was fixed in Anchor version 1.0.2.

Impact Analysis

This vulnerability can allow an attacker to perform arbitrary Cross-Program Invocations (CPI) or bypass payments by passing a malicious program ID instead of the legitimate system program ID. This means that programs relying on Anchor to verify the system program ID may execute unintended or harmful instructions, potentially leading to unauthorized actions or financial loss.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Anchor framework to version 1.0.2 or later, where the issue is fixed.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart