Security Advisory for Cargo (CVE-2026-5222) | Rust Blog

Empowering everyone to build reliable and efficient software.

lunedì 25 maggio 2026 New tab

TL;DRAI

Cargo (Rust 1.68–1.95) incorrectly normalized sparse registry URLs, allowing an attacker with publish access to steal authentication tokens from other users sharing the same hosting domain. The fix ships in Rust 1.96 on May 28th; teams using private sparse registries on shared hosts should prioritize the upgrade and audit credential exposure in the interim.

401 words~2 min read

The Rust Security Response Team was notified that Cargo incorrectly normalized

the URLs of third-party registries using the sparse index protocol. If a

hosting provider allowed multiple registries to be hosted with arbitrary names

within the same domain, an attacker able to publish crates in a registry could

obtain the credentials of others users of the same registry.

Security Advisory for Cargo (CVE-2026-5222) | Rust Blog

Security Advisory for Cargo (CVE-2026-5222) | Rust Blog

Other newsrooms on this story

Related reading

Security Advisory for Cargo (CVE-2026-5223) | Rust Blog

Security advisory for Cargo | Rust Blog

Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight

The Cloudflare Blog: Rust Workers

Guy Bedford - The Cloudflare Blog

GitHub Flaw Reveals Dangers of Implicit Trust

Other newsrooms on this story

Related reading

Security Advisory for Cargo (CVE-2026-5223) | Rust Blog

Security advisory for Cargo | Rust Blog

Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight

The Cloudflare Blog: Rust Workers

Guy Bedford - The Cloudflare Blog

GitHub Flaw Reveals Dangers of Implicit Trust