PT-2026-31544 · Sonatype · Sonatype Nexus Repository
Wes Clemons
·
Published
2026-04-08
·
Updated
2026-04-08
·
CVE-2026-3199
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L |
Name of the Vulnerable Software and Affected Versions
Sonatype Nexus Repository versions 3.22.1 through 3.90.2
Description
A flaw exists in the task management component of Sonatype Nexus Repository. An authenticated attacker possessing task creation permissions can execute arbitrary code, circumventing the
nexus.scripts.allowCreation security control. This allows an attacker to potentially gain control of the entire artifact repository.Recommendations
Update Sonatype Nexus Repository to a version later than 3.90.2.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sonatype Nexus Repository