CVE-2026-26267

Name of the Vulnerable Software and Affected Versions soroban-sdk-macros versions prior to 22.0.10 soroban-sdk-macros versions prior to 23.5.2 soroban-sdk-macros versions prior to 25.1.1

Description The #[contractimpl] macro in soroban-sdk-macros has a flaw in how it manages function calls. When processing trait implementations, the macro generates code that uses an incorrect call style, potentially invoking inherent functions instead of the intended trait functions if identically named functions exist in both inherent and trait implementations. This can lead to security checks within the trait implementation being bypassed, allowing unauthorized access or execution. The issue arises when a impl Trait for MyContract block with #[contractimpl] is defined alongside a impl MyContract block containing identically named functions without #[contractimpl]. The fix involves changing the generated call from <Type>::func() to <Type as Trait>::func(), ensuring the correct trait function is called.

Recommendations Upgrade to soroban-sdk-macros version 22.0.10 or later. Upgrade to soroban-sdk-macros version 23.5.2 or later. Upgrade to soroban-sdk-macros version 25.1.1 or later and recompile your contracts. If upgrading is not immediately possible, ensure that no inherent associated function on the contract type shares a name with any function in the trait implementation.