CVE-2026-5222 Rust CVE debrief

Who should care

Organizations operating private Cargo registries on hosting providers that allow arbitrary registry naming within shared domains; Rust developers using third-party registries with sparse index protocol; security teams monitoring supply chain integrity for Rust ecosystems.

Technical summary

Affected versions of Cargo (1.68-1.96) normalize URLs for third-party registries using the sparse index protocol without properly accounting for registry name boundaries within a domain. When a hosting provider permits arbitrary registry names under a single domain, Cargo's normalization logic can conflate different registries, causing credentials intended for one registry to be sent to another. An attacker with publish access to a maliciously-named registry could exploit this to harvest credentials from legitimate users. The CVSS 4.0 vector indicates network attack vector, low attack complexity, privileged attack requirements, and user interaction needed, with low confidentiality impact to the victim and low subsequent confidentiality impact to the system.

Defensive priority

low

Recommended defensive actions

• Upgrade Cargo to version 1.97 or later to obtain the fix for incorrect URL normalization in sparse index registry handling.
• Review hosting configurations for private Cargo registries to ensure registry names are not arbitrarily assignable within shared domains.
• Audit registry access logs for any anomalous credential usage patterns if running affected Cargo versions with third-party registries.

Evidence notes

The CVE description explicitly states severity is low due to extremely niche requirements. The Rust Security Response WG published the advisory on 2026-05-25 per the official blog post. The fix is documented in GitHub pull request 17031.

Official resources