API Key Vulnerability in Sonatype Nexus Repository Manager
CVE-2026-11403

8.7HIGH

Key Information:

Vendor

Sonatype

Vendor
CVE Published:
14 July 2026

What is CVE-2026-11403?

A vulnerability exists in Sonatype Nexus Repository Manager's generation of format-specific API keys, which may allow remote attackers to exploit this flaw and gain unauthorized access to repository operations tied to targeted users. For this vulnerability to be exploitable, specific format-specific API key realms like NuGet, Docker, or npm must be enabled, and the targeted user must possess an active API key. This situation underscores the importance of bolstering security measures around API key management and user access controls.

Affected Version(s)

Nexus Repository Manager 3.0.0 < 3.93.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sanjok Karki (@thesanjok) of National Forensic Sciences University, Goa.
.