CVE-2026-5222

NameCVE-2026-5222
DescriptionCargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cargo (PTS)bullseye0.47.0-3vulnerable
bookworm0.66.0+ds1-1vulnerable
rust-cargo (PTS)bullseye0.43.1-4vulnerable
bookworm0.66.0-1vulnerable
trixie0.86.0-2vulnerable
forky, sid0.91.0-4fixed
rustc (PTS)bullseye1.48.0+dfsg1-2vulnerable
bookworm1.63.0+dfsg1-2vulnerable
trixie1.85.0+dfsg3-1vulnerable
forky, sid1.95.0+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cargosource(unstable)(unfixed)
rust-cargosource(unstable)0.91.0-3
rustcsource(unstable)1.95.0+dfsg1-2

Notes

[bookworm] - cargo <no-dsa> (Minor issue)
[bullseye] - cargo <postponed> (Minor issue)
[trixie] - rust-cargo <no-dsa> (Minor issue)
[bookworm] - rust-cargo <no-dsa> (Minor issue)
[bullseye] - rust-cargo <postponed> (Minor issue)
[trixie] - rustc <no-dsa> (Minor issue)
[bookworm] - rustc <no-dsa> (Minor issue)
[bullseye] - rustc <postponed> (Minor issue)
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f
Search for package or bug name: Reporting problems