FIND-20260327-001 · 2026-03-27 · Innovation Veille

Rust 1.94.1 released — CVE-2026-33056 Cargo tar crate fix

release HIGH
Rust 1.94.1 was released on March 26, 2026 as an out-of-cycle security patch. It updates the bundled tar crate to fix CVE-2026-33056, a vulnerability that allowed a malicious crate to change permissions on arbitrary filesystem directories during a Cargo build. No crates on crates.io exploit this — crates.io blocked uploads and audited all existing crates on March 13. Users of alternate registries should also update. The previous stable was 1.94.0.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

CRITICAL for ODS: All Rust services (billing-engine, pdf-engine, OID, docstore, workflow-engine, form-engine, securemail) use Cargo and the tar crate transitively. Rust toolchain upgrade to 1.94.1 is mandatory. CI/CD Dockerfiles and Coolify build images must be pinned to 1.94.1. Any team member with a local Rust install should run rustup update.

Security Review

License: MIT / Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust security cargo CVE-2026-33056 supply-chain
Generated by ODS Innovation Veille · 2026-03-27T05:12:15+00:00