CVE-2026-5222

6.5 MEDIUM

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol

Published: 2026-05-25 · Last updated: 2026-06-01

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-647

Affected products

Vendor	Product
rust-lang	cargo

Description

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-5222
[Vendor advisory]https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
[Patch]https://github.com/rust-lang/cargo/pull/17031
[Other]https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s

Related CVEs

Same vendor

CVE-2026-5223 — Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to overrid... (5.3 MEDIUM)