Back to search
CVE-2026-5222
Published: May 25, 2026
Modified: May 26, 2026
PUBLISHED
Description
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
| Vendor | Product | Versions |
|---|---|---|
Rust | Cargo | affected 1.68.0 - < 1.96.0 |
Weaknesses (CWE)
References
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
vendor-advisory
mailing-list
https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
vendor-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now