{"id":"RUSTSEC-2026-0146","summary":"`InterfaceAccount` allows account substitution between unexpected types","details":"Affected versions of `anchor-lang` allowed `InterfaceAccount` to accept accounts\nwith an unexpected Anchor discriminator. A change to `InterfaceAccount` caused\nchecked deserialization to be bypassed for this account wrapper, so validation\nproved only that the account owner matched one of the accepted interface owners.\nIt did not prove that the account data belonged to the expected account type.\n\nPrograms using `InterfaceAccount` rely on Anchor to enforce both owner and\naccount-type validation before the handler runs. With discriminator checking\ndisabled, an attacker could pass another account type owned by an accepted\nprogram and have it deserialized through the expected interface wrapper. This\ncould bypass account-type assumptions made by the program and lead to incorrect\nauthorization or state handling.\n\nThe issue was fixed in `anchor-lang` 1.0.0-rc.2 by restoring checked\ndeserialization for `InterfaceAccount::try_from`, while keeping explicitly\nunchecked behavior available only through the unchecked API. Users should\nupgrade to `anchor-lang` 1.0.0-rc.2 or later.","aliases":["GHSA-429q-fhh4-r6hj"],"modified":"2026-05-19T05:03:10.184357028Z","published":"2026-05-08T12:00:00Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/anchor-lang"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0146.html"},{"type":"ADVISORY","url":"https://github.com/otter-sec/anchor/security/advisories/GHSA-429q-fhh4-r6hj"},{"type":"WEB","url":"https://github.com/otter-sec/anchor/pull/3837"},{"type":"WEB","url":"https://github.com/otter-sec/anchor/pull/4139"},{"type":"WEB","url":"https://github.com/otter-sec/anchor/commit/26ef36968a62e28a1f028e7adae4806af30c747d"}],"affected":[{"package":{"name":"anchor-lang","ecosystem":"crates.io","purl":"pkg:cargo/anchor-lang"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0-rc.1"},{"fixed":"1.0.0-rc.2"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"cvss":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0146.json","informational":null,"categories":[]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}