Login Sign Up

CVE-2026-26267

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in soroban-sdk allows attackers to bypass security checks in Soroban smart contracts when trait and inherent functions share the same name. The bug causes the wrong function to be called, potentially skipping authorization and validation logic. All developers using affected versions of soroban-sdk for Soroban contract development are impacted.

💻 Affected Systems

Products:
  • soroban-sdk
  • soroban-sdk-macros
Versions: All versions before 22.0.10, 23.5.2, and 25.1.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects contracts where trait and inherent functions have naming conflicts. The vulnerability exists at compile time and manifests in deployed contracts.

📦 What is this software?

Rs Soroban Sdk by Stellar

View all CVEs affecting Rs Soroban Sdk →

Rs Soroban Sdk by Stellar

View all CVEs affecting Rs Soroban Sdk →

Rs Soroban Sdk by Stellar

View all CVEs affecting Rs Soroban Sdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete contract compromise allowing unauthorized access to all contract functions and funds, bypassing all security controls.

🟠

Likely Case

Authorization bypass allowing unauthorized users to execute privileged contract functions they shouldn't have access to.

🟢

If Mitigated

No impact if contracts don't have conflicting function names between trait and inherent implementations.

🌐 Internet-Facing: HIGH - Smart contracts are inherently internet-facing and accessible to anyone on the blockchain network.
🏢 Internal Only: LOW - This affects public contract interfaces, not internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires identifying contracts with the specific function naming pattern and calling the vulnerable functions. No authentication needed as smart contracts are publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: soroban-sdk-macros 22.0.10, 23.5.2, or 25.1.1

Vendor Advisory: https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-4chv-4c6w-w254

Restart Required: No

Instructions:

1. Update soroban-sdk-macros dependency to 22.0.10, 23.5.2, or 25.1.1. 2. Recompile all contracts. 3. Redeploy updated contracts to blockchain.

🔧 Temporary Workarounds

Function Renaming

all

Rename or remove inherent functions that conflict with trait function names to eliminate the ambiguity.

Manual code review and modification of contract source code

🧯 If You Can't Patch

  • Audit all contracts for function naming conflicts between trait and inherent implementations
  • Consider pausing or disabling affected contracts until they can be recompiled with the fix

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml for soroban-sdk-macros version below 22.0.10, 23.5.2, or 25.1.1, and review contract code for trait/inherent function name conflicts.

Check Version:

grep soroban-sdk-macros Cargo.toml && grep soroban-sdk-macros Cargo.lock

Verify Fix Applied:

Verify soroban-sdk-macros version is 22.0.10, 23.5.2, or 25.1.1 in Cargo.lock, and contracts have been recompiled with updated dependency.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected contract function calls
  • Authorization failures in contract logs

Network Indicators:

  • Unusual transaction patterns to contract functions that should be restricted

SIEM Query:

Not applicable - blockchain transactions are logged on-chain rather than traditional SIEM systems

📊 Metadata

CVE ID: CVE-2026-26267
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-670
Published: February 19, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26267, you might also want to check these:

CVE-2020-1914 9.8

A logic vulnerability in Facebook Hermes JavaScript engine allows attackers to potentially read out ...

Same vulnerability type (CWE-670)
CVE-2025-43359 9.8

This CVE describes a UDP socket binding vulnerability in Apple operating systems where a UDP server ...

Same vulnerability type (CWE-670)
CVE-2025-29312 9.1

This vulnerability in ONOS (Open Network Operating System) v2.7.0 allows attackers to trigger unexpe...

Same vulnerability type (CWE-670)