Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.
AnalysisAI
Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping .git suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with sparse+). This allowed two distinct sparse registry URLs that differed only by a .git suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.
Technical ContextAI
Cargo implements URL canonicalization in src/cargo/util/canonical_url.rs to produce stable, hashable identifiers for registries. For git-backed registries, stripping .git suffixes is semantically correct because git hosts typically serve the same repository at both repo and repo.git. However, for sparse index registries (identified by the sparse+https:// scheme containing a + character in the scheme), these paths are not git repos but HTTP endpoints where path components are meaningful and distinct. CWE-647 (Use of Non-Canonical URL Paths for Authorization Decisions) precisely describes this root cause: authorization/credential scoping decisions were based on a canonicalized URL that incorrectly collapsed two distinct registry identities into one. The fix in PR #17031 gates the .git-stripping and GitHub lowercasing logic on !url.scheme().contains('+'), ensuring sparse registry URLs are not subject to git-specific normalization. CPE: cpe:2.3:a:rust:cargo:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade Cargo to a version beyond 1.96 that incorporates the fix from upstream pull request https://github.com/rust-lang/cargo/pull/17031. The exact first patched release version is not specified in the available advisory data - consult the official Rust release notes at https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ for the confirmed fixed version. As a compensating control for environments that cannot upgrade immediately, organizations can avoid using sparse-protocol registries hosted on multi-tenant providers where arbitrary registry path names within the same domain are permitted; switching to dedicated domain hosting for private registries eliminates the URL collision surface entirely. Credential rotation for any sparse-protocol third-party registry credentials should be considered if the deployment matches the vulnerable hosting topology described in the advisory.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foun
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimed
Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request
Cargo is a package manager for the rust programming language. Rated high severity (CVSS 8.1), this vulnerability is remo
Cargo downloads the Rust project’s dependencies and compiles the project. Rated high severity (CVSS 7.3), this vulnerabi
Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a
Cargo is a package manager for the rust programming language. Rated medium severity (CVSS 6.5), this vulnerability is re
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31654
GHSA-p688-r7jv-fm6f