ALPINE-CVE-2026-5222

See a problem?
Please try reporting it to the source first.
Source
https://security.alpinelinux.org/vuln/CVE-2026-5222
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-5222.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-5222
Upstream
  • CVE-2026-5222
Published
2026-05-25T10:16:15.273Z
Modified
2026-06-09T21:31:42.853357684Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.

References

Affected packages

Alpine:v3.23 / rust

Package

Name
rust
Purl
pkg:apk/alpine/rust?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.91.1-r2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-5222.json"

Alpine:v3.24 / rust

Package

Name
rust
Purl
pkg:apk/alpine/rust?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.96.0-r0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-5222.json"