RUSTSEC-2026-0146

Affected versions of anchor-lang allowed InterfaceAccount to accept accounts with an unexpected Anchor discriminator. A change to InterfaceAccount caused checked deserialization to be bypassed for this account wrapper, so validation proved only that the account owner matched one of the accepted interface owners. It did not prove that the account data belonged to the expected account type.

Programs using InterfaceAccount rely on Anchor to enforce both owner and account-type validation before the handler runs. With discriminator checking disabled, an attacker could pass another account type owned by an accepted program and have it deserialized through the expected interface wrapper. This could bypass account-type assumptions made by the program and lead to incorrect authorization or state handling.

The issue was fixed in anchor-lang 1.0.0-rc.2 by restoring checked deserialization for InterfaceAccount::try_from, while keeping explicitly unchecked behavior available only through the unchecked API. Users should upgrade to anchor-lang 1.0.0-rc.2 or later.