URL Normalization Vulnerability in Cargo Affects Rust Programming Language
CVE-2026-5222

2.3LOW

Key Information:

Vendor

Rust

Status
Cargo
Vendor
CVE Published:
25 May 2026

What is CVE-2026-5222?

A URL normalization vulnerability exists in Cargo versions 1.68 to 1.96, where the URLs of third-party registries using the sparse index protocol are incorrectly normalized. If a hosting provider allows the hosting of multiple registries with arbitrary names within the same domain, an attacker who can publish crates in one registry may gain unauthorized access to the credentials of users in the same registry. This scenario requires very specific conditions to be met, making the exploit highly niche.

Affected Version(s)

Cargo 1.68.0 < 1.96.0

References

https://groups.google.com/g/rustlang-security-announcemen...
vendor-advisorymailing-list
https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
vendor-advisory
https://github.com/rust-lang/cargo/pull/17031
patch

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.