Description
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.
Published: 2026-04-14
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

NuGet Gallery powers nuget.org and handles .nuspec files in its backend jobs. A crafted .nuspec file with malicious metadata can cause cross‑package metadata injection, leading to remote code execution and arbitrary blob writes due to insufficient input validation. The attacker can control the resolved blob path and overwrite any blob in the storage container, potentially tampering existing content or injecting executable code.

Affected Systems

The vendor is NuGet and the product is NuGetGallery. Every instance of NuGetGallery that has not been updated to include the patch in commit 0e80f87628349207cdcaf55358491f8a6f1ca276 is vulnerable. No specific product version range is supplied, so all unpatched deployments are at risk.

Risk and Exploitability

The CVSS score is 9.6, indicating a critical risk. The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been detected as an actively exploited flaw. Exploitation requires an attacker to supply a malicious .nuspec file and trigger the backend job, which can be done by uploading a package or invoking the job directly. Unsanitized package identifiers are interpreted as URI fragments, allowing the attacker to set arbitrary blob paths and perform writes to any object in the storage container. Successful exploitation can grant remote code execution and arbitrary data tampering.

Generated by OpenCVE AI on April 15, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NuGetGallery to a version that includes the patch from commit 0e80f87628349207cdcaf55358491f8a6f1ca276.
  • If an upgrade cannot be performed immediately, disable or tightly restrict the backend job that processes .nuspec files and quarantine any packages with suspicious metadata.
  • Implement write‑segmentation on the storage container to restrict write access only to the necessary automation accounts and enable detailed logging so that any unauthorized blob changes are detected and alerted on.

Generated by OpenCVE AI on April 15, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Nuget
Nuget nugetgallery
Vendors & Products Nuget
Nuget nugetgallery

Tue, 14 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Description NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.
Title NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation
Weaknesses CWE-20
CWE-22
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

Nuget Nugetgallery
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:42:02.662Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39399

cve-icon Vulnrichment

Updated: 2026-04-15T14:41:53.269Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T23:16:29.460

Modified: 2026-06-17T10:42:03.170

Link: CVE-2026-39399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:28:41Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')