CVE-2026-26267 Overview
CVE-2026-26267 is an authorization bypass vulnerability in soroban-sdk, the Rust SDK for Soroban smart contracts on the Stellar blockchain. The vulnerability exists in the #[contractimpl] procedural macro, which incorrectly generates function call dispatch code that can silently call an unprotected inherent function instead of the intended trait function when both share the same name. This flaw allows attackers to bypass critical security checks implemented in trait functions.
Critical Impact
Smart contract security checks, including caller authorization verification, can be completely bypassed when exploiting this macro code generation flaw, potentially leading to unauthorized operations on affected Soroban contracts.
Affected Products
- soroban-sdk-macros versions prior to 22.0.10
- soroban-sdk-macros versions prior to 23.5.2
- soroban-sdk-macros versions prior to 25.1.1
Discovery Timeline
- 2026-02-19 - CVE-2026-26267 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26267
Vulnerability Analysis
This vulnerability stems from incorrect code generation in the #[contractimpl] procedural macro within soroban-sdk-macros. When developers implement a trait for their contract type with #[contractimpl] applied, the macro generates Wasm-exported entry points that dispatch incoming calls to the appropriate function implementations.
The flaw occurs because the macro generates function calls using the syntax <Type>::func() regardless of whether it's processing a trait implementation or an inherent implementation. In Rust, this syntax preferentially resolves to inherent implementations over trait implementations when both exist. Consequently, if a contract defines both an impl Trait for MyContract block (with #[contractimpl]) and an impl MyContract block containing a function with an identical name (without #[contractimpl]), the Wasm-exported entry point will silently call the inherent function instead of the trait function.
This is particularly dangerous in smart contract contexts where trait implementations often contain critical security validations such as caller authorization checks. An inherent function with the same name may lack these protections, allowing anyone interacting with the contract's public interface to execute privileged operations without authorization.
Root Cause
The root cause is CWE-670 (Always-Incorrect Control Flow Implementation). The derive_fn.rs module in soroban-sdk-macros generates function call dispatch code that unconditionally uses unqualified type syntax (<Type>::func()), which does not properly disambiguate between trait and inherent implementations when processing trait impl blocks. Rust's method resolution rules prioritize inherent implementations, causing the wrong function to be called.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying a vulnerable Soroban contract that has both a trait implementation with security checks and an inherent implementation with the same function name lacking those checks
- Invoking the contract function through its public Wasm interface
- The macro-generated dispatch code will call the unprotected inherent function, bypassing all security validations in the trait implementation
The following patch demonstrates the fix applied to derive_fn.rs:
// Collect errors as they are encountered and emit them at the end.
let mut errors = Vec::<Error>::new();
- let call = quote! { <#impl_ty>::#ident };
+ let call = if let Some(t) = trait_ident {
+ quote! { <#impl_ty as #t>::#ident }
+ } else {
+ quote! { <#impl_ty>::#ident }
+ };
// Prepare the env input.
let env_input = inputs.first().and_then(|a| match a {
Source: GitHub Commit Update
Detection Methods for CVE-2026-26267
Indicators of Compromise
- Unexpected successful execution of privileged contract operations by unauthorized callers
- Contract audit logs showing function invocations that should have been rejected by authorization checks
- Discrepancies between expected trait behavior and actual contract execution results
Detection Strategies
- Review contract source code for the presence of both impl Trait for ContractType blocks with #[contractimpl] and impl ContractType blocks containing functions with matching names
- Audit compiled Wasm binaries to verify correct function dispatch behavior
- Implement contract integration tests that specifically verify authorization checks are enforced
Monitoring Recommendations
- Monitor contract function invocations for unexpected access patterns or unauthorized operations
- Set up alerts for privileged operations executed by accounts that should not have authorization
- Regularly audit deployed contracts compiled with affected soroban-sdk-macros versions
How to Mitigate CVE-2026-26267
Immediate Actions Required
- Upgrade to soroban-sdk-macros version 22.0.10, 23.5.2, or 25.1.1 depending on your current version track
- Recompile all Soroban contracts after upgrading to regenerate correct dispatch code
- Audit existing contracts for the vulnerable pattern before redeployment
- Review contract audit logs for any signs of exploitation
Patch Information
Security patches are available through multiple pull requests addressing different version branches. The fix modifies the macro code generation to use fully qualified trait syntax (<Type as Trait>::func()) when processing trait implementations, ensuring Rust correctly resolves to the trait function regardless of whether an inherent function with the same name exists.
- GitHub Security Advisory GHSA-4chv-4c6w-w254
- GitHub Pull Request #1729
- GitHub Pull Request #1730
- GitHub Pull Request #1731
Workarounds
- Ensure no inherent associated function on the contract type shares a name with any function in a trait implementation
- Rename or remove conflicting inherent functions to eliminate the ambiguity
- Avoid defining impl ContractType blocks with functions that duplicate names from impl Trait for ContractType blocks
# Upgrade soroban-sdk-macros using Cargo
cargo update -p soroban-sdk-macros
# Verify the patched version is installed
cargo tree -p soroban-sdk-macros
# Recompile contracts to regenerate correct dispatch code
cargo build --release --target wasm32-unknown-unknown
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
