CVE-2026-5222

EUVD-2026-31654

25.05.2026, 10:16

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Common Weakness Enumeration

CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions
The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.

References

https://blog.rust-lang.org/2026/05/25/cve-2026-5222/

https://github.com/rust-lang/cargo/pull/17031

https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s