Skip to main content

Sonatype Nexus Repository CVE-2026-10748

| EUVD-2026-37139 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Sonatype GHSA-mfx4-8g7q-p97w
Deserialization Nexus Repository
8.6
CVSS 4.0 · Vendor: Sonatype
Share

Severity by source

Vendor (Sonatype) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable web upload (AV:N/AC:L), no user interaction, but requires the high-privilege nx-licensing-create role (PR:H); deserialization yields full RCE as Nexus user, giving C/I/A:H without scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Sonatype).

CVSS VectorVendor: Sonatype

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 18:58 vuln.today

DescriptionCVE.org

An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.

AnalysisAI

Arbitrary OS command execution in Sonatype Nexus Repository 3 versions prior to 3.92.0 allows authenticated users holding the nx-licensing-create privilege to run commands as the Nexus process user by uploading a malicious license file. The flaw is rooted in unsafe deserialization (CWE-502) during license processing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain credentials with nx-licensing-create role
Delivery
Authenticate to Nexus UI/API
Exploit
Upload crafted malicious license file
Execution
Trigger unsafe deserialization in license parser
Persist
Execute OS commands as Nexus user
Impact
Pivot to artifact tampering and host compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) network access to the Nexus Repository 3 web interface/API, (2) valid credentials for an account holding the nx-licensing-create privilege - normally an administrator-level role - and (3) the ability to invoke the license-upload functionality with an attacker-supplied license file. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H) yields 8.6 (High) - network-reachable, low complexity, no user interaction, full impact on confidentiality, integrity and availability, but requiring high privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished, stuffed, or otherwise obtained credentials for a Nexus administrator (or any role granted nx-licensing-create) authenticates to the Nexus UI/API, navigates to the license upload function, and submits a crafted license file whose embedded serialized payload triggers a gadget chain during parsing, yielding command execution as the Nexus OS user. From that foothold the attacker can poison stored artifacts to pivot into downstream build pipelines, exfiltrate proprietary code and credentials cached on the host, or stage further internal movement.
Remediation Vendor-released patch: upgrade to Sonatype Nexus Repository 3.92.0 or later, per the 3.92.0 release notes (https://help.sonatype.com/en/sonatype-nexus-repository-3-92-0-release-notes.html) and the Sonatype advisory (https://support.sonatype.com/hc/en-us/articles/52335766035603). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Sonatype Nexus Repository 3 instances and current versions; audit access logs for users with nx-licensing-create privilege; restrict licensing file upload permissions pending patching. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10748 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy