CVE-2026-11403

Sonatype · Nexus Repository Manager

A vulnerability in Nexus Repository Manager's API key generation process allows remote attackers to gain unauthorized access to repository operations as a targeted user.

Executive summary

Sonatype Nexus Repository Manager versions prior to 3.93.0 are susceptible to an API key generation flaw that allows unauthorized access to repository operations.

Vulnerability

The flaw involves insufficient entropy (CWE-331) during the generation of format-specific API keys. This allows an unauthenticated remote attacker to predict or generate keys, granting them the ability to perform actions on behalf of other users.

Business impact

The CVSS score of 8.7 underscores the critical nature of this unauthorized access vulnerability. An attacker exploiting this flaw could gain control over sensitive repository operations, potentially leading to the injection of malicious packages, theft of proprietary intellectual property, or unauthorized modification of software build artifacts.

Remediation

Immediate Action: Upgrade to Nexus Repository Manager version 3.93.0 or later immediately.

Proactive Monitoring: Audit API access logs for irregular patterns or unauthorized activity that may indicate the use of guessed or forged API keys.

Compensating Controls: Where possible, restrict access to the repository manager API to known, trusted IP addresses and enforce strict role-based access controls to limit the blast radius of any compromised accounts.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

This vulnerability represents a significant risk to the integrity of the software supply chain. Organizations utilizing Nexus Repository Manager must perform an immediate upgrade to version 3.93.0 to secure their API authentication mechanisms and protect against unauthorized repository access.