CVE-2026-39399: CWE-20: Improper Input Validation in NuGet NuGetGallery
CVE-2026-39399 is a critical vulnerability in the NuGetGallery backend job that processes . nuspec files within NuGet packages. The flaw arises from improper input validation of package metadata, enabling attackers to inject malicious metadata via crafted . nuspec files. Exploitation involves URI fragment injection through unsanitized package identifiers, allowing arbitrary blob writes within the storage container beyond intended . nupkg files. This can lead to remote code execution and tampering with existing content. The vulnerability affects versions prior to commit 0e80f87628349207cdcaf55358491f8a6f1ca276. A patch addressing this issue has been committed, mitigating the risk.
AI Analysis
Technical Summary
The vulnerability in NuGetGallery stems from insufficient input validation in handling .nuspec files, specifically allowing cross package metadata injection. Attackers can exploit URI fragment injection via unsanitized package identifiers to control blob storage paths, enabling arbitrary writes to blobs in the storage container. This can result in remote code execution and unauthorized modification of stored content. The issue is fixed in commit 0e80f87628349207cdcaf55358491f8a6f1ca276, which should be applied to affected versions.
Potential Impact
Successful exploitation can lead to remote code execution and arbitrary writes to blobs within the storage container, potentially allowing attackers to tamper with existing package content or inject malicious payloads. The vulnerability does not impact confidentiality but has high integrity and availability impacts. The CVSS score is 9.6 (critical), reflecting the ease of network exploitation with low complexity and no user interaction required, but requiring low privileges.
Mitigation Recommendations
A patch fixing this vulnerability is available and has been committed in commit 0e80f87628349207cdcaf55358491f8a6f1ca276. Users should update NuGetGallery to this fixed version or later to remediate the issue. No additional vendor advisory is provided, so patch status is based on the commit information. There is no indication that this is a cloud service with vendor-managed remediation. No known exploits are reported in the wild at this time.
CVE-2026-39399: CWE-20: Improper Input Validation in NuGet NuGetGallery
Description
CVE-2026-39399 is a critical vulnerability in the NuGetGallery backend job that processes . nuspec files within NuGet packages. The flaw arises from improper input validation of package metadata, enabling attackers to inject malicious metadata via crafted . nuspec files. Exploitation involves URI fragment injection through unsanitized package identifiers, allowing arbitrary blob writes within the storage container beyond intended . nupkg files. This can lead to remote code execution and tampering with existing content. The vulnerability affects versions prior to commit 0e80f87628349207cdcaf55358491f8a6f1ca276. A patch addressing this issue has been committed, mitigating the risk.
CVSS v3.1
Score 9.6critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in NuGetGallery stems from insufficient input validation in handling .nuspec files, specifically allowing cross package metadata injection. Attackers can exploit URI fragment injection via unsanitized package identifiers to control blob storage paths, enabling arbitrary writes to blobs in the storage container. This can result in remote code execution and unauthorized modification of stored content. The issue is fixed in commit 0e80f87628349207cdcaf55358491f8a6f1ca276, which should be applied to affected versions.
Potential Impact
Successful exploitation can lead to remote code execution and arbitrary writes to blobs within the storage container, potentially allowing attackers to tamper with existing package content or inject malicious payloads. The vulnerability does not impact confidentiality but has high integrity and availability impacts. The CVSS score is 9.6 (critical), reflecting the ease of network exploitation with low complexity and no user interaction required, but requiring low privileges.
Mitigation Recommendations
A patch fixing this vulnerability is available and has been committed in commit 0e80f87628349207cdcaf55358491f8a6f1ca276. Users should update NuGetGallery to this fixed version or later to remediate the issue. No additional vendor advisory is provided, so patch status is based on the commit information. There is no indication that this is a cloud service with vendor-managed remediation. No known exploits are reported in the wild at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T22:06:40.516Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69decae882d89c981f18b33e
Added to database: 4/14/2026, 11:16:56 PM
Last enriched: 4/22/2026, 6:48:08 AM
Last updated: 5/31/2026, 5:35:00 AM
Views: 127
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.