πŸ” CVE Alert

CVE-2026-5222

UNKNOWN 0.0

Cargo can be coerced to share credentials between registries

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.Β The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.

CWE CWE-647
Vendor rust
Product cargo
Ecosystems
Industries
Technology
Published May 25, 2026
Last Updated May 26, 2026
Stay Ahead of the Next One

Get instant alerts for rust cargo

Be the first to know when new unknown vulnerabilities affecting rust cargo are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Rust / Cargo
1.68.0 < 1.96.0

References

NVD β†— CVE.org β†— EPSS Data β†—
groups.google.com: https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s blog.rust-lang.org: https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ github.com: https://github.com/rust-lang/cargo/pull/17031