CVE-2026-26267
Published: 19 February 2026
Summary
CVE-2026-26267 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Stellar Rs-Soroban-Sdk. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypasses authorization checks in public contract entrypoints (T1190 Exploit Public-Facing Application) to perform actions that should require elevated privileges (T1068 Exploitation for Privilege Escalation).
NVD Description
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing…
more
the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function. This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously: First, an `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied. Second, an `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied. If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function. The problem is patched in `soroban-sdk-macros` versions 22.0.10, 23.5.2, and 25.1.1. The fix changes the generated call from `<Type>::func()` to `<Type as Trait>::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists. Users should upgrade to `soroban-sdk-macros` 22.0.10, 23.5.2, or 25.1.1 and recompile their contracts. If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.
Deeper analysisAI
CVE-2026-26267 is a vulnerability in the soroban-sdk, a Rust SDK for Soroban contracts, specifically affecting the `#[contractimpl]` macro in versions prior to 22.0.10, 23.5.2, and 25.1.1 of soroban-sdk-macros. The macro incorrectly generates code that invokes functions using `MyContract::func()` syntax even when processing trait implementations. If an inherent `impl MyContract` block defines functions with the same names as those in an `impl Trait for MyContract` block marked with `#[contractimpl]`, the generated Wasm-exported entry points call the inherent functions instead of the trait versions, bypassing any security checks present only in the trait functions, such as caller authorization verification.
The vulnerability can be exploited by anyone interacting with the affected smart contract through its public interface, requiring no privileges (AV:N/AC:L/PR:N). Attackers achieve high integrity impact (CVSS 7.5) by triggering the public entry point, which silently resolves to the unprotected inherent function, enabling unauthorized actions that the trait implementation would otherwise prevent.
Patches are available in soroban-sdk-macros versions 22.0.10, 23.5.2, and 25.1.1, which modify the generated code to use `<Type as Trait>::func()` syntax, ensuring correct resolution to the trait function regardless of inherent implementations. Users must upgrade to these versions and recompile their contracts. As a workaround, developers can avoid naming conflicts by renaming or removing inherent functions that match trait function names. Details are provided in the GitHub security advisory GHSA-4chv-4c6w-w254 and related pull requests.
Details
- CWE(s)