CVE-2026-5222: CWE-647 Use of Non-Canonical URL paths for authorization decisions in Rust Cargo
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
AI Analysis
Technical Summary
Rust Cargo versions 1.68.0 to 1.96 contain a vulnerability (CWE-647) related to improper normalization of non-canonical URL paths for authorization decisions in third-party registries using the sparse index protocol. If a hosting provider permits multiple registries with arbitrary names under the same domain, an attacker with publishing rights in one registry could exploit this flaw to access credentials of other users in the same registry. The vulnerability is rated low severity with a CVSS 4.0 score of 2.3, reflecting the niche conditions required for exploitation.
Potential Impact
An attacker able to publish crates in a vulnerable registry could obtain credentials of other users within that registry. However, the impact is limited by the very specific environment and conditions needed, including hosting multiple registries with arbitrary names on the same domain and attacker publishing capability. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented at this time. Users should monitor Rust Cargo vendor advisories for updates and consider restricting registry hosting configurations to avoid multiple arbitrary registry names under the same domain if possible.
CVE-2026-5222: CWE-647 Use of Non-Canonical URL paths for authorization decisions in Rust Cargo
Description
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Rust Cargo versions 1.68.0 to 1.96 contain a vulnerability (CWE-647) related to improper normalization of non-canonical URL paths for authorization decisions in third-party registries using the sparse index protocol. If a hosting provider permits multiple registries with arbitrary names under the same domain, an attacker with publishing rights in one registry could exploit this flaw to access credentials of other users in the same registry. The vulnerability is rated low severity with a CVSS 4.0 score of 2.3, reflecting the niche conditions required for exploitation.
Potential Impact
An attacker able to publish crates in a vulnerable registry could obtain credentials of other users within that registry. However, the impact is limited by the very specific environment and conditions needed, including hosting multiple registries with arbitrary names on the same domain and attacker publishing capability. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented at this time. Users should monitor Rust Cargo vendor advisories for updates and consider restricting registry hosting configurations to avoid multiple arbitrary registry names under the same domain if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- rust
- Date Reserved
- 2026-03-31T12:07:40.168Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a141902a5ae1af1aa7fdd84
Added to database: 5/25/2026, 9:40:18 AM
Last enriched: 5/25/2026, 9:55:32 AM
Last updated: 5/26/2026, 7:54:47 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.