Reported

May 7, 2026

Issued

May 18, 2026

Package

anchor-lang (crates.io)

Type

Vulnerability

Keywords

#solana #anchor #account-validation #system-program

Aliases

• CVE-2026-45137
• GHSA-c6rc-8jpp-2fgc

References

• https://github.com/otter-sec/anchor/security/advisories/GHSA-c6rc-8jpp-2fgc
• https://github.com/solana-foundation/anchor/releases/tag/v1.0.2

CVSS Score

8.2 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

Low

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Patched

• >=1.0.2

Unaffected

• <1.0.0

Description

Affected versions of anchor-lang did not properly validate accounts declared as Program<'info, System>. The generic Program<T> validation path used Pubkey::default() as a sentinel to decide whether any executable program should be accepted. Since the system program id is also the default pubkey, Program<'info, System> was treated like the untyped Program<'info> case and accepted any executable program account.

Programs commonly rely on Program<'info, System> to ensure that CPI calls and instruction builders target the real Solana system program. With the faulty validation, an attacker could supply another executable program where the system program was expected, causing downstream logic to make false assumptions about payments, account creation, or other system-program CPIs.

The issue was fixed in anchor-lang 1.0.2 by separating the typed Program<T> validation path from the untyped Program<()> path, so Program<'info, System> now checks the provided account key against the system program id. Users should upgrade to anchor-lang 1.0.2 or later.

Advisory available under CC-BY-4.0 license. Source: https://github.com/otter-sec/anchor/security/advisories/GHSA-c6rc-8jpp-2fgc