Skip to main content

Rust Cargo CVE-2026-5222

LOW
Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647)
2026-05-25 rust
Information Disclosure Cargo
2.3
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 26, 2026 - 21:30 vuln.today
Analysis Generated
May 26, 2026 - 21:30 vuln.today
CVSS changed
May 26, 2026 - 19:22 NVD
2.3 (LOW)
CVE Published
May 25, 2026 - 08:54 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.

AnalysisAI

Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping .git suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with sparse+). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-5222 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy