CVE-2026-45137

Name of the Vulnerable Software and Affected Versions anchor-lang versions prior to 1.0.2

Description A logic error in the account validation process allows programs to accept any executable program ID when the system program ID is required. This occurs because the validation path for Program<T> used Pubkey::default() as a sentinel to determine if any executable account should be accepted. Since the system program ID is also the default public key, Program<'info, System> was incorrectly treated as an untyped program, accepting any executable account.

This account validation bypass affects on-chain programs relying on the system program, potentially leading to arbitrary Cross-Program Invocations (CPI) or payment bypasses. An attacker can supply a malicious executable program instead of the system program, causing the victim program to make false assumptions regarding payments or account creation.

Recommendations Update to anchor-lang version 1.0.2 or later.