Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor program…

CVE-2026-45137 affects the Anchor framework for Solana programs from versions 1.0.0 to before 1.0.2. A logic error causes anchor programs to accept any program ID when requiring the system program ID, leading to false assumptions. This vulnerability can result in arbitrary CPI (Cross-Program Invocation) or payment bypassing when programs make CPI calls to the system program. The issue stems from improper validation in the TryFrom implementation for Program<'a, T>, where attackers can pass any executable program instead of the legitimate system program. The vulnerability is fixed in version 1.0.2.