CVE-2026-5222
Description
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-5222 NameCVE-2026-5222 DescriptionCargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity…
CVE-2026-5222
| Name | CVE-2026-5222 |
| Description | Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cargo (PTS) | bullseye | 0.47.0-3 | vulnerable |
| bookworm | 0.66.0+ds1-1 | vulnerable | |
| rust-cargo (PTS) | bullseye | 0.43.1-4 | vulnerable |
| bookworm | 0.66.0-1 | vulnerable | |
| trixie | 0.86.0-2 | vulnerable | |
| forky, sid | 0.91.0-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cargo | source | (unstable) | (unfixed) | |||
| rust-cargo | source | (unstable) | (unfixed) |
Notes
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f
check correctness of tracking
Apply commands
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5shttps://blog.rust-lang.org/2026/05/25/cve-2026-5222/https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997fcheck correctness of trackingOS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | forky | affected | |
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | trixie | affected | |
| debian | sid | fixed | 1.95.0+dfsg1-2 |
| windows | affected | |
References
- https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
- https://github.com/rust-lang/cargo/pull/17031
- https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
- https://www.suse.com/security/cve/CVE-2026-5222.html
- https://security-tracker.debian.org/tracker/CVE-2026-5222
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5222
CWEs
CWE-647
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.