FIND-20260406-003 · 2026-04-06 · Innovation Veille

CVE-2026-33056 — Cargo tar crate Arbitrary Directory Permission Change (MODERATE)

cve MEDIUM
Malicious crates can change permissions on arbitrary filesystem directories during Cargo extraction. Affects Cargo versions prior to Rust 1.94.1. The vulnerability is in the third-party tar crate. crates.io has been patched server-side to block uploads of exploitative crates. Fixed by upgrading to Rust 1.94.1. ODS current known Rust version is 1.94.1 — this is already patched in the toolchain. CI/CD pipelines should verify they pin to 1.94.1+.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

Affects ODS build pipelines (GitHub Actions) and agent environment. If Rust toolchain is 1.94.1 (current) the risk is mitigated. Verify .github/workflows/ rust-toolchain files pin to stable 1.94.1 or later. Also relevant for any Tauri 2 desktop build pipelines.

Security Review

License: MIT / Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust cargo cve supply-chain tar build-pipeline patched
Generated by ODS Innovation Veille · 2026-04-06T03:20:11+00:00