CVE-2025-46834 is a medium-severity vulnerability affecting Alchemy's Modular Account smart contract implementation, specifically versions on the 2.x branch up to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, including version 2.0.0. The Modular Account is designed to be compatible with Ethereum standards ERC-4337 and ERC-6900, enabling session keys (scoped external keys) to be granted by account owners for delegated access with restricted permissions. The vulnerability resides in the allowlist module responsible for enforcing access control restrictions on these session keys. Due to an incorrect authorization check (CWE-863), the module fails to properly validate calls made through the executeUserOp -> execute or executeBatch paths. This flaw allows any session key, regardless of its intended restrictions, to bypass the allowlist controls. Consequently, malicious actors controlling a session key can perform unauthorized operations such as transferring ERC20 and ERC721 tokens out of the account, modifying permissions on external modules, removing restrictions on session keys, or rotating keys with higher privileges to keys they control. This effectively compromises the integrity and confidentiality of the account's assets and control mechanisms. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The issue was fixed in commit 5e6f540d249afcaeaf76ab95517d0359fde883b0. The CVSS 4.0 base score is 6.6 (medium), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but with high impact on integrity. No known exploits are reported in the wild as of the publication date.

For European organizations utilizing Alchemy's Modular Account smart contracts, this vulnerability poses a significant risk to the security of digital assets managed via these accounts. Exploitation can lead to unauthorized transfer of ERC20 and ERC721 tokens, resulting in direct financial losses. Additionally, attackers can escalate privileges by altering session key permissions or rotating keys, potentially leading to persistent unauthorized access and further compromise of blockchain-based applications or services. Given the growing adoption of decentralized finance (DeFi), NFTs, and blockchain identity solutions in Europe, organizations relying on these smart contracts for asset custody or transaction authorization could face severe operational disruption and reputational damage. The vulnerability undermines trust in the security guarantees of modular accounts, which may affect compliance with European data protection and financial regulations if asset integrity or user consent mechanisms are violated. Although no exploits are currently known in the wild, the ease of exploitation and the critical nature of asset control in blockchain environments necessitate urgent remediation to prevent potential attacks.

European organizations should immediately verify if they are running affected versions (2.0.0 or earlier on the 2.x branch) of Alchemy's Modular Account smart contracts. The primary mitigation is to upgrade to the fixed version that includes commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 or later, which correctly enforces authorization checks on session keys. Until upgrade is possible, organizations should consider revoking all session keys and avoid granting new session keys to external parties. Conduct thorough audits of all session key permissions and transaction logs to detect any unauthorized activity. Implement additional off-chain monitoring and alerting for unusual token transfers or permission changes. Where feasible, employ multi-signature or time-locked mechanisms to limit the impact of compromised session keys. Educate developers and security teams on the specifics of this vulnerability to prevent similar authorization logic errors in custom smart contract modules. Finally, maintain close coordination with Alchemy platform updates and security advisories to promptly apply future patches.