The vulnerability CVE-2026-32129 affects the Poseidon V1 (PoseidonSponge) cryptographic hash function implementation in the stellar rs-soroban-poseidon library, which is used for hashing in Soroban smart contracts. PoseidonSponge is designed as a sponge construction accepting variable-length inputs with a sponge rate parameter T. However, it lacks injective padding, meaning that if the input vector length is less than T - 1, the remaining sponge rate positions are implicitly zero-filled. This zero-filling causes different input vectors to produce identical pre-permutation states, resulting in trivial hash collisions. For example, hashing [m1, ..., mk] yields the same hash as hashing [m1, ..., mk, 0] when k < T - 1. Such collisions compromise the collision resistance property critical for cryptographic hash functions, potentially allowing attackers to substitute one input for another without detection. The Poseidon2 variant (Poseidon2Sponge) is not vulnerable. The affected versions are all versions prior to 25.0.1 of rs-soroban-poseidon. The vulnerability has a CVSS 4.0 score of 8.7, reflecting its high impact and ease of exploitation over the network without authentication or user interaction. Although no exploits are currently known in the wild, the flaw poses a significant risk to the integrity of smart contracts relying on this hash function for security guarantees.

This vulnerability undermines the collision resistance of the Poseidon V1 hash function used in Soroban smart contracts, which can have severe consequences for organizations relying on these contracts for secure transactions and data integrity. Attackers could exploit the trivial hash collisions to substitute malicious inputs that produce the same hash as legitimate inputs, potentially enabling fraud, unauthorized asset transfers, or manipulation of contract logic. This compromises the integrity and trustworthiness of blockchain operations using the affected library. Since the vulnerability requires no authentication or user interaction and can be exploited remotely, the attack surface is broad. The impact is particularly critical for financial institutions, decentralized finance (DeFi) platforms, and enterprises leveraging Stellar's Soroban smart contracts for critical business processes. The lack of known exploits in the wild suggests the vulnerability is newly disclosed, but the high CVSS score and fundamental cryptographic weakness indicate urgent remediation is needed to prevent future attacks.

Organizations should immediately upgrade the rs-soroban-poseidon library to version 25.0.1 or later, where this vulnerability is addressed. Until upgrading, avoid using Poseidon V1 (PoseidonSponge) for hashing inputs with lengths less than the sponge rate minus one, or implement explicit injective padding to ensure unique input representations. Review all smart contracts and applications using PoseidonSponge to identify and remediate vulnerable hashing calls. Consider migrating to Poseidon2 (Poseidon2Sponge), which is not affected by this issue. Additionally, conduct thorough testing to detect any existing hash collisions that could have been exploited. Incorporate cryptographic best practices by validating input lengths and padding schemes to prevent similar issues. Monitor vendor advisories and threat intelligence feeds for any emerging exploit activity related to this CVE. Finally, educate developers on the importance of using secure cryptographic primitives and staying current with library updates.