{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-5222","assignerOrgId":"986d4109-89ea-491f-99fd-a8e4803919bd","state":"PUBLISHED","assignerShortName":"rust","dateReserved":"2026-03-31T12:07:40.168Z","datePublished":"2026-05-25T08:54:56.348Z","dateUpdated":"2026-05-26T14:43:10.019Z"},"containers":{"cna":{"providerMetadata":{"orgId":"986d4109-89ea-491f-99fd-a8e4803919bd","shortName":"rust","dateUpdated":"2026-05-25T08:54:56.348Z"},"title":"Cargo can be coerced to share credentials between registries","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-647","description":"CWE-647 Use of Non-Canonical URL paths for authorization decisions","type":"CWE"}]}],"affected":[{"vendor":"Rust","product":"Cargo","collectionURL":"https://crates.io","packageName":"cargo","repo":"https://github.com/rust-lang/cargo","modules":["sparse index"],"versions":[{"status":"affected","version":"1.68.0","lessThan":"1.96.0","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.","supportingMedia":[{"type":"text/html","base64":false,"value":"<div>Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.&nbsp;The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.</div>"}]}],"references":[{"url":"https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s","tags":["vendor-advisory","mailing-list"]},{"url":"https://blog.rust-lang.org/2026/05/25/cve-2026-5222/","tags":["vendor-advisory"]},{"url":"https://github.com/rust-lang/cargo/pull/17031","tags":["patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","subConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"LOW","baseScore":2.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}],"solutions":[{"lang":"en","value":"Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo.","supportingMedia":[{"type":"text/html","base64":false,"value":"Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo."}]}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-26T14:36:59.303136Z","id":"CVE-2026-5222","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-26T14:43:10.019Z"}}]}}