CVE-2026-5222 - Vulnerability Details

Description

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.

Published: 2026-05-25

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Cargo versions 1.68 through 1.96 incorrectly normalize third‑party registry URLs when using the sparse index protocol. This normalization removes the ".git" suffix from URLs, causing redirects that treat different registry sub‑paths as the same host. An attacker who can publish crates to a registry that shares the same domain as other registries can obtain the access credentials (e.g., tokens or passwords) stored for those registries, allowing unauthorized access to packages and potentially sensitive build artifacts. The weakness is classified as CWE‐647, an information exposure through wrong normalization. The vulnerability is deemed low severity because it requires a highly specific setup: a hosting provider that allows multiple registries on the same domain and an attacker who can publish crates.

Affected Systems

All installations of Cargo between version 1.68 and 1.96 that use the sparse index protocol for third‑party registries are affected. The impact applies regardless of operating system, as the flaw lies in the Cargo binary itself.

Risk and Exploitability

The CVSS score is 2.3 and the EPSS score is not available, indicating a limited likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require control of a registry within a domain hosting multiple registries and the ability to publish crates; because of these niche prerequisites, the practical risk remains low.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Rust

Cargo

unaffected

Version	Status	Constraints
`1.68.0`	affected	< 1.96.0

No data.

Vendor Product Confidence Versions

Rust-lang

Cargo

80%

Version	Status	Scheme	Platform
`[1.68.0,1.96.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo.

OpenCVE Recommended Actions

Upgrade Cargo to 1.96 or later before the May 28 2026 release, which restores proper URL normalization for registry URLs.
If an upgrade is not immediately possible, avoid using registries that share the same domain; configure each registry with a distinct domain or sub‑domain to prevent normalization collisions.
Continue to monitor for unusual credential usage in build logs or access patterns, and restrict network access to trusted registry endpoints.

Generated by OpenCVE AI on May 25, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
https://github.com/rust-lang/cargo/pull/17031
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s

History

Mon, 25 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rust-lang Rust-lang cargo
Vendors & Products		Rust-lang Rust-lang cargo

Mon, 25 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.
Title		Cargo can be coerced to share credentials between registries
Weaknesses		CWE-647
References		https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ https://github.com/rust-lang/cargo/pull/17031 https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}`

Subscriptions

Rust-lang Cargo

MITRE

Status: PUBLISHED

Assigner: rust

Published: 2026-05-25T08:54:56.348Z

Updated: 2026-05-25T08:54:56.348Z

Reserved: 2026-03-31T12:07:40.168Z

Link: CVE-2026-5222

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T11:30:23Z

Weaknesses

CWE-647

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object