CVE-2026-5222
2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Rust | Cargo | 1.68.0 < 1.96.0 | affected |
Weaknesses
- CWE-647: CWE-647 Use of Non-Canonical URL paths for authorization decisions
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
- https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
- https://github.com/rust-lang/cargo/pull/17031
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.