CVE-2026-26267 in soroban-sdk-macros #[contractimpl] enables trait-inherent name collisions

CVE-2026-26267 is a high-severity vulnerability in the rs-soroban-sdk project’s soroban-sdk-macros crate that affects the #[contractimpl] procedural macro. The bug manifests when contract code defines a trait method and an inherent method with the same name; under those conditions the macro permits a trait-inherent name collision that can alter how the contract is exported or invoked. The issue was disclosed and tracked in mid-to-late February 2026, with active tracking noted on February 19, 2026.

The problem sits squarely in the #[contractimpl] expansion logic inside soroban-sdk-macros, the crate responsible for translating Rust contract impl blocks into Soroban-compatible exports. The rs-soroban-sdk codebase uses that crate to derive the contract ABI and generate glue functions. When an implementor writes both a trait function and an inherent function that share an identifier in the same contract type, the macro will not reliably distinguish them, producing overlapping symbols during the macro expansion phase.

Reproducing the behavior requires only a minimal contract example: define a trait with a method, implement that trait for a contract type, and also provide an inherent method with the same name on the same type, then annotate the impl with #[contractimpl]. Developers who created contracts with this pattern during local testing or deployment experienced the collision in builds that run the soroban-sdk-macros expansion step. The vulnerability is assigned CVE-2026-26267 and classified as high-severity due to the potential for exported entrypoints to be ambiguous in compiled Soroban artifacts.

The immediate population at risk includes Rust developers authoring Soroban smart contracts with rs-soroban-sdk who rely on #[contractimpl] to expose contract methods. Contracts that combine trait-based abstraction and inherent convenience methods on the same type need attention. Because the defect arises at macro expansion, it can surface during compilation or only appear when a contract is invoked on-chain, depending on how names are resolved in the generated glue.

Until a patched release of soroban-sdk-macros is published by the rs-soroban-sdk maintainers, avoid defining trait and inherent functions that share the same name within contract types annotated with #[contractimpl]. Rename either the trait method or the inherent method to distinct identifiers, and verify contract behavior in a controlled testnet before deploying to production networks. Expect maintainers to publish an explicit fix and version update for soroban-sdk-macros in follow-up releases tracked to CVE-2026-26267.