FIND-20260331-003 · 2026-03-31 · Innovation Veille

CVE-2026-33056 — Rust/Cargo tar crate allows filesystem permission manipulation

cve HIGH
CVE-2026-33056 disclosed by the Rust Security Response Team on 2026-03-21: a malicious crate can change permissions on arbitrary directories when Cargo extracts it during a build, via the third-party tar crate. A crates.io-level mitigation was deployed on 2026-03-13 preventing exploitation via the public registry. Rust 1.94.1 (released 2026-03-26) includes the patched tar crate. Users of alternate registries remain exposed on older Cargo versions.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

ODS uses Rust extensively (Actix-web, billing-engine, OID, PDF engine). All developers and CI/CD pipelines running cargo build/test must upgrade to Rust 1.94.1+. The attack vector is build-time: a compromised dependency in Cargo.lock could be exploited. Update rust toolchain immediately on srv-agents and in GitHub Actions.

Security Review

License: MIT/Apache-2.0 | Maintenance: ACTIVE | Risk: MEDIUM | Recommendation: USE_WITH_CAUTION

Tags

rust cargo cve supply-chain build-time high-severity
Generated by ODS Innovation Veille · 2026-03-31T07:06:50+00:00