CVE-2026-39399

NuGet · NuGetGallery

A cross-package metadata injection vulnerability in NuGetGallery allows for arbitrary blob writes and potential remote code execution via crafted .nuspec files.

Executive summary

A critical vulnerability in the NuGetGallery backend allows attackers to achieve remote code execution and arbitrary file manipulation through malicious metadata injection.

Vulnerability

The vulnerability arises from insufficient input validation of .nuspec files and URI fragment injection. This allows an attacker to control resolved blob paths, resulting in RCE or unauthorized modification of repository content.

Business impact

With a CVSS score of 9.6, this flaw poses a severe risk to the integrity of the software supply chain. Attackers could potentially inject malicious code into software packages, leading to widespread downstream compromise and significant reputational damage to the organization.

Remediation

Immediate Action: Ensure the NuGetGallery environment is updated to include the fix provided in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.

Proactive Monitoring: Monitor repository logs for irregular package metadata patterns or unauthorized attempts to access or modify storage blobs.

Compensating Controls: Implement strict input validation and sandboxing for all package processing pipelines to restrict access to underlying storage containers.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

The ability to manipulate package metadata is a high-impact risk for any development environment. Administrators must verify the integrity of their NuGetGallery deployments and apply the necessary code patches immediately to mitigate the risk of supply chain attacks.