diff --git a/programs/bpf_loader/src/syscalls.rs b/programs/bpf_loader/src/syscalls.rs
index 9c759536f2..4a29b89c4d 100644
--- a/programs/bpf_loader/src/syscalls.rs
+++ b/programs/bpf_loader/src/syscalls.rs
@@ -16,8 +16,8 @@ use solana_sdk::{
     bpf_loader_upgradeable::{self, UpgradeableLoaderState},
     entrypoint::{MAX_PERMITTED_DATA_INCREASE, SUCCESS},
     feature_set::{
-        pubkey_log_syscall_enabled, ristretto_mul_syscall_enabled, sha256_syscall_enabled,
-        sol_log_compute_units_syscall,
+        limit_cpi_loader_invoke, pubkey_log_syscall_enabled, ristretto_mul_syscall_enabled,
+        sha256_syscall_enabled, sol_log_compute_units_syscall,
     },
     hash::{Hasher, HASH_BYTES},
     instruction::{AccountMeta, Instruction, InstructionError},
@@ -1234,7 +1234,9 @@ fn call<'a>(
     let (message, callee_program_id) =
         MessageProcessor::create_message(&instruction, &keyed_account_refs, &signers)
             .map_err(SyscallError::InstructionError)?;
-    check_authorized_program(&callee_program_id)?;
+    if invoke_context.is_feature_active(&limit_cpi_loader_invoke::id()) {
+        check_authorized_program(&callee_program_id)?;
+    }
     let (accounts, account_refs) = syscall.translate_accounts(
         &message,
         account_infos_addr,
diff --git a/sdk/src/feature_set.rs b/sdk/src/feature_set.rs
index 0ab99b2984..3503a00d07 100644
--- a/sdk/src/feature_set.rs
+++ b/sdk/src/feature_set.rs
@@ -114,6 +114,10 @@ pub mod max_cpi_instruction_size_ipv6_mtu {
     solana_sdk::declare_id!("5WLtuUJA5VVA1Cc28qULPfGs8anhoBev8uNqaaXeasnf");
 }
 
+pub mod limit_cpi_loader_invoke {
+    solana_sdk::declare_id!("xGbcW7EEC7zMRJ6LaJCob65EJxKryWjwM4rv8f57SRM");
+}
+
 lazy_static! {
     /// Map of feature identifiers to user-visible description
     pub static ref FEATURE_NAMES: HashMap<Pubkey, &'static str> = [
@@ -144,6 +148,7 @@ lazy_static! {
         (stake_program_v3::id(), "solana_stake_program v3"),
         (bpf_loader_upgradeable_program::id(), "upgradeable bpf loader"),
         (max_cpi_instruction_size_ipv6_mtu::id(), "Max cross-program invocation size 1280"),
+        (limit_cpi_loader_invoke::id(), "Loader not authorized via CPI"),
         /*************** ADD NEW FEATURES HERE ***************/
     ]
     .iter()