CVE-2026-40034 is a command injection vulnerability in gitoxide (specifically the gix-submodule crate), triggered via a partial override of .gitmodules configuration. An attacker who can influence submodule configuration could potentially execute arbitrary commands on the host system. This is particularly relevant to CI/CD pipelines and cloud build environments that rely on Rust-based Git tooling.

Security Architect’s Take: Audit any CI/CD pipelines or Azure DevOps workflows using gitoxide or the gix-submodule crate and update to the patched version immediately. Pay particular attention to builds that clone repositories with submodules from untrusted or partially trusted sources, as these represent the primary attack surface.

Original advisory: CVE-2026-40034 gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule

CVE-2026-5222 is a vulnerability in Cargo, the Rust package manager, where it can be tricked into sending authentication credentials intended for one registry to a different, potentially untrusted registry. This credential leakage could allow an attacker to harvest tokens used to access private package registries. The issue is particularly relevant in CI/CD pipelines and cloud build environments where registry credentials are commonly stored as secrets.

Security Architect’s Take: Audit all Cargo-based build pipelines running in Azure or other cloud environments and ensure registry credentials are scoped as tightly as possible; rotate any tokens that may have been exposed. Consider enforcing network-level controls to restrict Cargo’s outbound registry access to approved endpoints only until a patched version of Cargo is deployed.

Original advisory: CVE-2026-5222 Cargo can be coerced to share credentials between registries