Description
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function. This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously: First, an `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied. Second, an `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied. If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function. The problem is patched in `soroban-sdk-macros` versions 22.0.10, 23.5.2, and 25.1.1. The fix changes the generated call from `<Type>::func()` to `<Type as Trait>::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists. Users should upgrade to `soroban-sdk-macros` 22.0.10, 23.5.2, or 25.1.1 and recompile their contracts. If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.
Published: 2026-02-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

The Soroban Rust SDK contains a macro bug that incorrectly routes contract calls. When a contract implements a trait with #[contractimpl] and also has an inherent method of the same name, the generated code mistakenly calls the inherent method instead of the trait method. If the trait method contains essential security checks such as caller verification, those checks are bypassed, allowing unauthenticated users to trigger functions that should be protected. This flaw effectively removes a layer of authorization and can lead to unauthorized state changes or other unintended contract behavior.

Affected Systems

The vulnerability affects the Stellar rs‑soroban‑sdk, specifically all builds prior to macros versions 22.0.10, 23.5.2, and 25.1.1. Users compiling contracts with these earlier SDK releases are impacted.

Risk and Exploitability

The CVSS score of 7.5 reflects a high impact from an information‑system perspective, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. Attackers can trigger the flaw through the standard WASM contract interface over the network, exploiting the incorrect dispatch when trait‑based and inherent methods collide.

Generated by OpenCVE AI on April 18, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your projects to soroban-sdk-macros v22.0.10, 23.5.2, or 25.1.1 and recompile all smart contracts.
  • Regenerate the SDK’s derived code to ensure the new version uses trait-aware function resolution.
  • As a temporary measure, audit your contracts for inherent methods that share names with trait functions and rename or remove those inherent methods to eliminate the ambiguity until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4chv-4c6w-w254 The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:stellar:rs-soroban-sdk:*:*:*:*:*:rust:*:*

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Stellar
Stellar rs-soroban-sdk
Vendors & Products Stellar
Stellar rs-soroban-sdk

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function. This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously: First, an `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied. Second, an `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied. If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function. The problem is patched in `soroban-sdk-macros` versions 22.0.10, 23.5.2, and 25.1.1. The fix changes the generated call from `<Type>::func()` to `<Type as Trait>::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists. Users should upgrade to `soroban-sdk-macros` 22.0.10, 23.5.2, or 25.1.1 and recompile their contracts. If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.
Title rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Stellar Rs-soroban-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:22:10.126Z

Reserved: 2026-02-12T17:10:53.412Z

Link: CVE-2026-26267

cve-icon Vulnrichment

Updated: 2026-02-19T20:58:44.801Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T20:25:43.530

Modified: 2026-02-20T19:49:23.010

Link: CVE-2026-26267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses