CVE-2026-5222

Name of the Vulnerable Software and Affected Versions Cargo versions 1.68 through 1.95

Description Cargo incorrectly normalized URLs of third-party registries using the sparse index protocol. In scenarios where a hosting provider allows multiple registries to be hosted with arbitrary names within the same domain, an attacker capable of publishing crates in a registry could obtain the credentials of other users of that same registry.

Recommendations Update to version 1.96.