CVE-2026-45137

Source
https://cve.org/CVERecord?id=CVE-2026-45137
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45137.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45137
Aliases
Published
2026-05-27T20:52:23.381Z
Modified
2026-07-08T08:11:00.366085121Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Anchor: Program<'info, System> is not properly validated
Details

Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions. In the TryFrom<&'a AccountInfo<'a>> implementation for Program<'a, T>, the id of T is compared with Pubkey::default() to check whether anchor should allow any executable account, or a specific account, because when no T is supplied, T defaults to (), which implements Id::id() by returning Pubkey::default(). This results in T = () and T = System (which has Pubkey::default() as the id) having the same behavior, both allow any executable account. Programs built with anchor assume that the anchor runtime verifies passed in programs of type Program<'a, System> are in fact the system program. This false assumption can lead to arbitrary CPI or payment bypassing when programs try making CPI calls to the system program using the passed in system program due to the fact that the attacker can pass in any program instead of the system program. This vulnerability is fixed in 1.0.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45137.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/otter-sec/anchor

Affected ranges

Type
GIT
Repo
https://github.com/otter-sec/anchor
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.0.2"
        },
        {
            "introduced": "0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45137.json"