HIGH
solana-foundation
CVE published 2026-05-27
CVE-2026-45137
## Summary Anchor framework versions 1.0.0 through 1.0.1 contain a logic error in the `TryFrom<&'a AccountInfo<'a>>` implementation for `Program<'a, T>`. The vulnerability causes Anchor programs to accept any executable account when the System program is expected, due to `T = ()` and `T = System` both resolving to `Pubkey::default()` in the ID check. This allows attackers to substitute arbitrary programs [truncated]