HIGH
UltraDAGcom
CVE published 2026-05-08
CVE-2026-42278
UltraDAG StateEngine contains a critical authorization bypass in SmartTransferTx processing. When transactions originate from a Pocket (a derived sub-address), the engine fails to resolve the pocket's parent account before checking spending policies. Because pockets lack their own SmartAccountConfig entries, the check_spending_policy method defaults to an authorized/no-policy result. This allows immediate [truncated]