CVE-2026-5222

Summary

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.

Affected Software

VendorProductVersion RangeStatus
RustCargo1.68.0 < 1.96.0affected

Weaknesses

  • CWE-647: CWE-647 Use of Non-Canonical URL paths for authorization decisions

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References