CVE-2026-5222
CWE-647Published: May 25, 2026· Updated: May 26, 2026
Official Description
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
Technical Analysis
CVE-2026-5222 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (P) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-647)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-5222 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts