CVE-2026-5223

5.3 MEDIUM

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to overrid...

Published: 2026-05-25 · Last updated: 2026-06-01

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-61

Affected products

Vendor	Product
rust-lang	cargo

Description

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-5223
[Vendor advisory]https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
[Patch]https://github.com/rust-lang/cargo/pull/17031
[Other]https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8

Related CVEs

Same vendor

CVE-2026-5222 — Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol (6.5 MEDIUM)

Same CWE

CVE-2026-8784 — A vulnerability was detected in npitre cramfs-tools up to 2.2 (4.2 MEDIUM)
CVE-2026-6475 — Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g (8.8 HIGH)
CVE-2026-7819 — Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)
CVE-2026-31893 — Tunnelblick is an open source graphic user interface for OpenVPN on macOS (5.5 MEDIUM)