Logic Error in Anchor Framework for Solana Programs by Otter Sec
CVE-2026-45137

8.2HIGH

Key Information:

Vendor: Solana-foundation
Status: Anchor
Vendor: CVE Published:; 27 May 2026

🔔 Create Solana-foundation Vulnerability Alert

What is CVE-2026-45137?

The Anchor framework for Solana programs has a logic error in versions prior to 1.0.2, where programs incorrectly accept any program ID when verifying the system program ID. This flaw arises because the default behavior of the framework allows executable accounts to pass unchecked, leading to scenarios where arbitrary cross-program invocations (CPI) and payment bypassing can occur. Specifically, when the implementation checks the ID of program types, it inadvertently permits any executable account when the program type is left unspecified. This critical assumption can result in severe security risks, as an attacker could exploit this to introduce malicious programs in place of the intended system program. This issue has been addressed in version 1.0.2.

Affected Version(s)

anchor >= 1.0.0, < 1.0.2

References

https://github.com/otter-sec/anchor/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45137 Data

JSON