{"uuid": "541ddc20-a48a-48a5-a522-7a439ed04d16", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-429Q-FHH4-R6HJ", "type": "seen", "source": "https://gist.github.com/alon710/81762c48278b036a7f34dc62e8a4137d", "content": "# GHSA-429Q-FHH4-R6HJ: GHSA-429Q-FHH4-R6HJ: Account Substitution via Discriminator Bypass in Anchor InterfaceAccount\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-05-13\n> **Full Report:** https://cvereports.com/reports/GHSA-429Q-FHH4-R6HJ\n\n## Summary\nA critical vulnerability in the Anchor framework's `anchor-lang` crate allows account substitution attacks. The `InterfaceAccount` type fails to validate the 8-byte account discriminator during deserialization, permitting an attacker to supply a mismatched account type and subvert program logic.\n\n## TL;DR\nAnchor versions prior to 1.0.0 skip structural discriminator checks for the `InterfaceAccount` type, allowing attackers to supply improperly typed accounts that bypass framework-level validation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-20\n- **Attack Vector**: Network\n- **Vulnerability Class**: Account Substitution / Type Confusion\n- **Exploit Status**: Proof-of-Concept Available\n- **CVSS v3.1 Score**: 9.1\n- **Patch Version**: 1.0.0\n\n## Affected Systems\n\n- Anchor Framework\n- Solana Smart Contracts utilizing anchor-lang < 1.0.0\n- Applications implementing InterfaceAccount\n- **anchor-lang**: < 1.0.0 (Fixed in: `1.0.0`)\n\n## Mitigation\n\n- Upgrade anchor-lang dependency to version 1.0.0 or later.\n- Audit all usages of InterfaceAccount across the program.\n- Ensure all account types have an explicit discriminator defined.\n- Remove usages of try_from_unchecked in production code.\n\n**Remediation Steps:**\n1. Update the Cargo.toml file to reference anchor-lang version 1.0.0.\n2. Execute cargo build-sbf to recompile the Solana program.\n3. Deploy the updated program binary to the mainnet.\n4. Conduct a review to confirm no unchecked deserialization occurs on the critical path.\n\n## References\n\n- [GitHub Advisory: GHSA-429Q-FHH4-R6HJ](https://github.com/advisories/GHSA-429Q-FHH4-R6HJ)\n- [Fix Pull Request #4139](https://github.com/solana-foundation/anchor/pull/4139)\n- [Fix Commit: 26ef369](https://github.com/solana-foundation/anchor/commit/26ef36968a62e28a1f028e7adae4806af30c747d)\n- [Anchor Framework Updates Changelog](https://www.anchor-lang.com/docs/updates/changelog)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-429Q-FHH4-R6HJ) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-13T16:10:29.000000Z"}