CVE-2026-26267: CWE-670: Always-Incorrect Control Flow Implementation in stellar rs-soroban-sdk
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function. This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously: First, an `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied. Second, an `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied. If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function. The problem is patched in `soroban-sdk-macros` versions 22.0.10, 23.5.2, and 25.1.1. The fix changes the generated call from `<Type>::func()` to `<Type as Trait>::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists. Users should upgrade to `soroban-sdk-macros` 22.0.10, 23.5.2, or 25.1.1 and recompile their contracts. If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.
AI Analysis
Technical Summary
CVE-2026-26267 is a vulnerability in the Stellar rs-soroban-sdk, a Rust SDK used for developing Soroban smart contracts. The root cause lies in the #[contractimpl] procedural macro, which generates code to wire up contract function calls. Prior to patched versions (22.0.10, 23.5.2, 25.1.1), the macro incorrectly generates calls using the syntax MyContract::value() even when processing trait implementations. When a contract defines both an inherent implementation (impl MyContract) and a trait implementation (impl Trait for MyContract) with identically named functions, the macro-generated code calls the inherent function instead of the trait function. This is problematic because trait functions often include essential security checks, such as verifying caller authorization, which the inherent functions may omit. As a result, the Wasm-exported entry point silently invokes the wrong function, bypassing security controls without any explicit error or warning. The fix changes the macro to generate calls using fully qualified syntax (<Type as Trait>::func()), ensuring Rust resolves to the trait method regardless of inherent functions with the same name. This vulnerability affects all versions before 22.0.10, 23.5.2, and 25.1.1, impacting contracts compiled with these SDK versions. Exploitation requires no privileges or user interaction, making it a critical integrity risk for deployed smart contracts on the Stellar blockchain. Developers must upgrade the soroban-sdk-macros package and recompile contracts or avoid naming conflicts between inherent and trait functions to mitigate this issue.
Potential Impact
This vulnerability undermines the integrity of Soroban smart contracts by causing them to execute unintended code paths that bypass critical security checks. Specifically, if the trait implementation includes authorization or validation logic that the inherent function lacks, attackers can interact with the contract's public interface to invoke insecure functions, potentially leading to unauthorized actions such as fund transfers or state changes. Since the vulnerability affects the core SDK used to build contracts on the Stellar blockchain, any contract compiled with vulnerable versions is at risk. This could erode trust in the affected contracts and the broader Stellar ecosystem. The vulnerability does not directly impact confidentiality or availability but poses a high risk to contract integrity and authorization enforcement. Given the ease of exploitation (no privileges or user interaction required) and the silent nature of the failure, attackers could exploit this flaw without detection. Organizations relying on Soroban smart contracts for financial or critical operations face significant risk of unauthorized transactions or logic bypasses until patched.
Mitigation Recommendations
1. Upgrade the soroban-sdk-macros package to version 22.0.10, 23.5.2, or 25.1.1 or later, and recompile all Soroban contracts to ensure the macro generates correct trait function calls. 2. If immediate upgrading is not feasible, audit all contracts for naming conflicts between inherent functions and trait functions; rename or remove any inherent functions that share names with trait functions to prevent ambiguous resolution. 3. Implement thorough code reviews focusing on function naming and macro usage to avoid similar issues in future contract development. 4. Employ automated static analysis tools to detect conflicting function names in contract codebases. 5. Monitor deployed contracts for anomalous behavior that could indicate exploitation of this vulnerability. 6. Educate developers on the importance of understanding Rust trait vs inherent function resolution semantics, especially in macro-generated code. 7. Consider adding runtime checks or additional authorization layers outside the vulnerable macro-generated code as a defense-in-depth measure until all contracts are patched.
Affected Countries
United States, Germany, Japan, South Korea, Singapore, United Kingdom, Switzerland, Canada, Australia, Netherlands
CVE-2026-26267: CWE-670: Always-Incorrect Control Flow Implementation in stellar rs-soroban-sdk
Description
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function. This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously: First, an `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied. Second, an `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied. If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function. The problem is patched in `soroban-sdk-macros` versions 22.0.10, 23.5.2, and 25.1.1. The fix changes the generated call from `<Type>::func()` to `<Type as Trait>::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists. Users should upgrade to `soroban-sdk-macros` 22.0.10, 23.5.2, or 25.1.1 and recompile their contracts. If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.
AI-Powered Analysis
Technical Analysis
CVE-2026-26267 is a vulnerability in the Stellar rs-soroban-sdk, a Rust SDK used for developing Soroban smart contracts. The root cause lies in the #[contractimpl] procedural macro, which generates code to wire up contract function calls. Prior to patched versions (22.0.10, 23.5.2, 25.1.1), the macro incorrectly generates calls using the syntax MyContract::value() even when processing trait implementations. When a contract defines both an inherent implementation (impl MyContract) and a trait implementation (impl Trait for MyContract) with identically named functions, the macro-generated code calls the inherent function instead of the trait function. This is problematic because trait functions often include essential security checks, such as verifying caller authorization, which the inherent functions may omit. As a result, the Wasm-exported entry point silently invokes the wrong function, bypassing security controls without any explicit error or warning. The fix changes the macro to generate calls using fully qualified syntax (<Type as Trait>::func()), ensuring Rust resolves to the trait method regardless of inherent functions with the same name. This vulnerability affects all versions before 22.0.10, 23.5.2, and 25.1.1, impacting contracts compiled with these SDK versions. Exploitation requires no privileges or user interaction, making it a critical integrity risk for deployed smart contracts on the Stellar blockchain. Developers must upgrade the soroban-sdk-macros package and recompile contracts or avoid naming conflicts between inherent and trait functions to mitigate this issue.
Potential Impact
This vulnerability undermines the integrity of Soroban smart contracts by causing them to execute unintended code paths that bypass critical security checks. Specifically, if the trait implementation includes authorization or validation logic that the inherent function lacks, attackers can interact with the contract's public interface to invoke insecure functions, potentially leading to unauthorized actions such as fund transfers or state changes. Since the vulnerability affects the core SDK used to build contracts on the Stellar blockchain, any contract compiled with vulnerable versions is at risk. This could erode trust in the affected contracts and the broader Stellar ecosystem. The vulnerability does not directly impact confidentiality or availability but poses a high risk to contract integrity and authorization enforcement. Given the ease of exploitation (no privileges or user interaction required) and the silent nature of the failure, attackers could exploit this flaw without detection. Organizations relying on Soroban smart contracts for financial or critical operations face significant risk of unauthorized transactions or logic bypasses until patched.
Mitigation Recommendations
1. Upgrade the soroban-sdk-macros package to version 22.0.10, 23.5.2, or 25.1.1 or later, and recompile all Soroban contracts to ensure the macro generates correct trait function calls. 2. If immediate upgrading is not feasible, audit all contracts for naming conflicts between inherent functions and trait functions; rename or remove any inherent functions that share names with trait functions to prevent ambiguous resolution. 3. Implement thorough code reviews focusing on function naming and macro usage to avoid similar issues in future contract development. 4. Employ automated static analysis tools to detect conflicting function names in contract codebases. 5. Monitor deployed contracts for anomalous behavior that could indicate exploitation of this vulnerability. 6. Educate developers on the importance of understanding Rust trait vs inherent function resolution semantics, especially in macro-generated code. 7. Consider adding runtime checks or additional authorization layers outside the vulnerable macro-generated code as a defense-in-depth measure until all contracts are patched.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-12T17:10:53.412Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69978157d7880ec89b3497a0
Added to database: 2/19/2026, 9:32:07 PM
Last enriched: 2/19/2026, 9:47:20 PM
Last updated: 2/21/2026, 12:18:53 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27203: CWE-15: External Control of System or Configuration Setting in YosefHayim ebay-mcp
HighCVE-2026-27168: CWE-122: Heap-based Buffer Overflow in HappySeaFox sail
HighCVE-2026-27134: CWE-287: Improper Authentication in strimzi strimzi-kafka-operator
HighCVE-2026-27190: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in denoland deno
HighCVE-2026-27026: CWE-770: Allocation of Resources Without Limits or Throttling in py-pdf pypdf
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.