External risk intelligence

Attacker can execute code or overwrite files on NuGet Gallery by uploading a malicious package.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-39399

A critical flaw in NuGet Gallery allows attackers to execute code or overwrite files by uploading a malicious package, posing a risk to stored content and the server itself.

5Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-39399

NuGet Gallery is a web-based package repository designed to receive package uploads. Its core functionality requires exposing web-accessible API endpoints to users, making it internet-facing by design, whether deployed as a public service or an internal enterprise repository.

PCI scan relevance

PCI Relevance for CVE-2026-39399

Yes

CVE-2026-39399 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in NuGet Gallery allows for remote code execution and arbitrary file writes due to improper handling of package metadata. Its critical severity and network-exploitable nature make it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in NuGet Gallery could allow an attacker to execute code on the server or modify existing content. This happens when a specially crafted package contains malicious metadata, which is not properly validated. The issue is reachable from the internet and requires only a package identifier to exploit.

  • Tampering with stored content.
  • Server-side code execution.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by crafting a malicious NuGet package with a specially designed .nuspec file. This file would contain malicious metadata designed to inject arbitrary URIs, allowing the attacker to control the path where data is written within the NuGet Gallery's storage. This could lead to the compromise of existing content and potentially remote code execution.

  • Requires authenticated access.
  • Exploited via crafted package upload.
  • Data validation flaw allows path traversal.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in NuGet Gallery's handling of nuspec files presents a significant risk. Attackers can exploit this through crafted metadata and URI fragment injection, potentially leading to remote code execution or arbitrary file writes. The nature of a package repository means it's designed to accept external input, increasing the attack surface.

  • Exploitable via package upload.
  • Potential RCE and arbitrary writes.
  • Patch available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of NuGet Gallery, as the vulnerability allows for remote code execution and arbitrary file writes. Monitor logs for signs of suspicious .nuspec file uploads or unexpected changes in blob storage. If patching is not immediately feasible, consider isolating the NuGet Gallery service from untrusted networks.

  • Apply patch commit 0e80f87628349207cdcaf55358491f8a6f1ca276.
  • Isolate affected services from external access.
  • Monitor for malicious .nuspec uploads.

Frequently asked questions

What is NuGet Gallery and what is it used for?

NuGet Gallery is a package repository that powers nuget.org. It serves as a central location for developers to publish and share software packages, making it a crucial component for managing dependencies and distributing code libraries.

How does CVE-2026-39399 represent a weakness?

CVE-2026-39399 is classified as CWE-20 (Improper Input Validation) and CWE-22 (Improper Limitation of a Pathname to a Limited Directory). This means the software does not properly check data it receives, allowing a malicious .nuspec file's metadata to manipulate file paths, potentially leading to unintended actions.

What are the preconditions for exploiting CVE-2026-39399?

An attacker must be able to upload a specially crafted NuGet package containing a malicious .nuspec file with specific metadata. This metadata exploits URI fragment injection. The vulnerability is not triggered if the package identifier is properly sanitized.

Who should be concerned about this vulnerability, based on Halo Surface Signal?

This vulnerability affects systems that are internet-facing, meaning it can be reached from the public internet. The Halo Surface Signal indicates that NuGet Gallery's core function requires exposure to users, making it a significant concern for organizations that operate or utilize these services.

What is the first step to address this vulnerability?

The immediate first step is to apply the patch referenced by commit 0e80f87628349207cdcaf55358491f8a6f1ca276. If immediate patching is not possible, consider isolating the NuGet Gallery service from untrusted networks to reduce exposure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified