Skip to main content

Rust Cargo CVE-2026-5222

| EUVDEUVD-2026-31654 LOW
Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647)
2026-05-25 rust GHSA-p688-r7jv-fm6f
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 26, 2026 - 21:30 vuln.today
Analysis Generated
May 26, 2026 - 21:30 vuln.today
CVSS changed
May 26, 2026 - 19:22 NVD
2.3 (LOW)
CVE Published
May 25, 2026 - 08:54 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.

AnalysisAI

Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping .git suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with sparse+). This allowed two distinct sparse registry URLs that differed only by a .git suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.

Technical ContextAI

Cargo implements URL canonicalization in src/cargo/util/canonical_url.rs to produce stable, hashable identifiers for registries. For git-backed registries, stripping .git suffixes is semantically correct because git hosts typically serve the same repository at both repo and repo.git. However, for sparse index registries (identified by the sparse+https:// scheme containing a + character in the scheme), these paths are not git repos but HTTP endpoints where path components are meaningful and distinct. CWE-647 (Use of Non-Canonical URL Paths for Authorization Decisions) precisely describes this root cause: authorization/credential scoping decisions were based on a canonicalized URL that incorrectly collapsed two distinct registry identities into one. The fix in PR #17031 gates the .git-stripping and GitHub lowercasing logic on !url.scheme().contains('+'), ensuring sparse registry URLs are not subject to git-specific normalization. CPE: cpe:2.3:a:rust:cargo:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade Cargo to a version beyond 1.96 that incorporates the fix from upstream pull request https://github.com/rust-lang/cargo/pull/17031. The exact first patched release version is not specified in the available advisory data - consult the official Rust release notes at https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ for the confirmed fixed version. As a compensating control for environments that cannot upgrade immediately, organizations can avoid using sparse-protocol registries hosted on multi-tenant providers where arbitrary registry path names within the same domain are permitted; switching to dedicated domain hosting for private registries eliminates the URL collision surface entirely. Credential rotation for any sparse-protocol third-party registry credentials should be considered if the deployment matches the vulnerable hosting topology described in the advisory.

Share

CVE-2026-5222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy