CVE-2026-5223 is a vulnerability in Rust’s package management ecosystem where crates hosted in third-party registries can override the cached source of legitimately installed crates. This creates a supply chain risk, as a malicious or compromised third-party registry could substitute trusted package code with altered versions. The impact is particularly significant in CI/CD pipelines and cloud build environments where dependency caching is widely used.

Security Architect’s Take: Audit your Rust-based build pipelines for reliance on third-party crate registries and enforce registry source pinning using checksums or lockfiles. Consider restricting allowed registries in your Cargo configuration and validating crate integrity as part of your software supply chain controls.

Original advisory: CVE-2026-5223 Crates in third party registries can override the cached source of other crates