Home Microsoft CVE-2026-39399
Back to Microsoft

CVE-2026-39399

NuGet Gallery - Backend Job

Microsoft CVSS 9.6 Updated April 16, 2026

Executive Risk Summary

"A security vulnerability exists in the NuGetGallery backend job's handling of .nuspec files, allowing an attacker to supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection and potential remote code execution. This issue is exploitable via URI fragment injection using unsanitized package identifiers, enabling writes to arbitrary blobs within the storage container."

Anticipated Attack Path

  1. 1. Attacker crafts a malicious .nuspec file with malicious metadata
  2. 2. Attacker injects the malicious .nuspec file into the NuGet package
  3. 3. NuGetGallery backend job processes the malicious .nuspec file, leading to cross package metadata injection and potential remote code execution

Am I Vulnerable?

  • Verify that the NuGetGallery backend job is updated to the latest version
  • Check for any suspicious activity related to .nuspec file handling
  • Monitor the storage container for any unauthorized writes to blobs

Operational Audit Arsenal

Target Type Service
Target Asset NuGetGallery
Standard Path https://github.com/NuGet/NuGetGallery
PowerShell 
# 🛠️ Senior Engineer Universal Audit
# Target: NuGetGallery (Service)
$Targets = 'NuGetGallery'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")

Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue | 
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}

Patch Impact Forecast

Reboot Required Unlikely

Low to moderate disruption expected, depending on the specific deployment and usage of NuGetGallery

Internal Work Notes

CVE-2026-39399: NuGet Gallery - Backend Job vulnerability allowing remote code execution and arbitrary blob writes, patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276

Technical Intelligence & Operational Utilities • Delivered Weekly

Intelligence Sources

Official Advisoryhttps://github.com/NuGet/NuGetGallery/commit/0e80f87628349207cdcaf55358491f8a6f1ca276
Official Advisoryhttps://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr

Related Microsoft Threats

CVE-2026-31957 CVSS 10

Microsoft Azure Entra ID and Intune - Himmelblau
CVE-2025-65041 CVSS 10

Microsoft Partner Center
CVE-2026-33105 CVSS 10

Microsoft Azure Kubernetes Service - Azure Kubernetes
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.