CVE-2026-5222
Description
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-5222 NameCVE-2026-5222 DescriptionCargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity…
CVE-2026-5222
| Name | CVE-2026-5222 |
| Description | Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cargo (PTS) | bullseye | 0.47.0-3 | vulnerable |
| bookworm | 0.66.0+ds1-1 | vulnerable | |
| rust-cargo (PTS) | bullseye | 0.43.1-4 | vulnerable |
| bookworm | 0.66.0-1 | vulnerable | |
| trixie | 0.86.0-2 | vulnerable | |
| forky, sid | 0.91.0-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cargo | source | (unstable) | (unfixed) | |||
| rust-cargo | source | (unstable) | (unfixed) |
Notes
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f
check correctness of tracking
Apply commands
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5shttps://blog.rust-lang.org/2026/05/25/cve-2026-5222/https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997fcheck correctness of trackingOS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| — | Affected | — |
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| — | Affected | — |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | — |
| sid | Fixed | 1.95.0+dfsg1-2 |
| forky | Fixed | 0.91.0-3 |
| bullseye | Affected | — |
| bookworm | Affected | — |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rust-lang | cargo | {"startIncluding":"1.68.0","endExcluding":"1.96.0"} | 1.96.0 |
References
- https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
- https://github.com/rust-lang/cargo/pull/17031
- https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
- https://www.suse.com/security/cve/CVE-2026-5222.html
- https://security-tracker.debian.org/tracker/CVE-2026-5222
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5222
CWEs
CWE-647
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.