How to fix CVE-2026-3199?

Within 24 hours: Identify all Nexus Repository instances running versions 3.22.1-3.90.2 and document task creation permission assignments. Restrict task creation permissions to essential personnel only and disable if unused. Within 7 days: Contact Sonatype for patch availability timeline and available workarounds; evaluate upgrade feasibility to version 3.90.3 or later if released. Within 30 days: Complete upgrade to patched version or implement compensating controls; conduct access review of all accounts with task creation permissions and audit recent task creation history for suspicious activity.

Is Deserialization affected by CVE-2026-3199?

Sonatype Nexus Repository versions 3.22.1 through 3.90.2 contain a critical remote code execution vulnerability that allows authenticated users with task creation permissions to execute arbitrary code on the repository server, bypassing existing security controls.

CVE-2026-3199

EUVD-2026-20756 CRITICAL

2026-04-08 103e4ec9-0a87-450b-af77-479448ddef11

GHSA-4685-c5cp-vp95

GHSA-48wf-g7cp-gr3m

GHSA-5f9p-f3w2-fwch

GHSA-6f6j-wx9w-ff4j

GHSA-cfvj-7rx7-fc7c

GHSA-fg3m-vhrr-8gj6

GHSA-gw85-xp4q-5gp9

GHSA-mqr9-vqhq-3jxw

GHSA-q399-23r3-hfx4

GHSA-w2wq-7mq5-mvww

GHSA-wm8r-w8pf-2v6w

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch Released

Apr 09, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 08, 2026 - 23:24 euvd

EUVD-2026-20756

Analysis Generated

Apr 08, 2026 - 23:24 vuln.today

CVE Published

Apr 08, 2026 - 23:16 nvd

CRITICAL 9.4

Description

A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.

Analysis

Remote code execution in Sonatype Nexus Repository 3.22.1-3.90.2 allows authenticated attackers with task creation permissions to execute arbitrary code via unsafe deserialization in the task management component. Exploitation bypasses the nexus.scripts.allowCreation security control, granting unauthorized code execution on the server. …

Remediation

Within 24 hours: Identify all Nexus Repository instances running versions 3.22.1-3.90.2 and document task creation permission assignments. Restrict task creation permissions to essential personnel only and disable if unused. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +47

POC: 0

CVE-2026-3199 vulnerability details – vuln.today

Back

CVE-2026-3199

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-3199

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code