{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3199", "assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11", "state": "PUBLISHED", "assignerShortName": "Sonatype", "dateReserved": "2026-02-25T13:05:59.905Z", "datePublished": "2026-04-08T22:17:10.117Z", "dateUpdated": "2026-04-08T22:17:10.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "103e4ec9-0a87-450b-af77-479448ddef11", "shortName": "Sonatype", "dateUpdated": "2026-04-08T22:17:10.117Z"}, "title": "Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "affected": [{"vendor": "Sonatype", "product": "Nexus Repository", "versions": [{"status": "affected", "version": "3.22.1", "lessThan": "3.91.0", "versionType": "semver"}], "defaultStatus": "unaffected", "cpes": ["cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.73.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.74.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.75.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.75.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.76.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.76.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.77.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.78.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.78.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.79.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.80.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.81.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.82.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.87.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.87.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.89.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.90.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.90.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonatype:nexus_repository_manager:3.90.2:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control."}]}], "references": [{"url": "https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html", "tags": ["patch"]}, {"url": "https://support.sonatype.com/hc/en-us/articles/50615414548499", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.4, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}, "credits": [{"lang": "en", "value": "Wes Clemons of Millennium Corporation", "type": "finder"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control."}], "id": "CVE-2026-3199", "lastModified": "2026-04-08T23:16:59.160", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "103e4ec9-0a87-450b-af77-479448ddef11", "type": "Secondary"}]}, "published": "2026-04-08T23:16:59.160", "references": [{"source": "103e4ec9-0a87-450b-af77-479448ddef11", "url": "https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html"}, {"source": "103e4ec9-0a87-450b-af77-479448ddef11", "url": "https://support.sonatype.com/hc/en-us/articles/50615414548499"}], "sourceIdentifier": "103e4ec9-0a87-450b-af77-479448ddef11", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "103e4ec9-0a87-450b-af77-479448ddef11", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.22.1,3.91.0)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Nexus Repository", "source": "cna", "vendor": "Sonatype"}, "product": "nexus_repository_manager", "vendor": "sonatype"}], "analysis": {"en": {"generated_at": "2026-04-08T23:52:29.144529+00:00", "value": {"mitigation_remediation": ["Upgrade to Nexus Repository Manager version 3.91.0 or later, where the issue is fixed.", "Restrict task creation permissions to trusted users only.", "Ensure the nexus.scripts.allowCreation property is enabled when task creation is required.", "Monitor logs for unexpected or unauthorized task creation activity.", "Apply general system hardening if an immediate upgrade is not possible."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Sonatype Nexus Repository Manager versions 3.22.1 through 3.90.2 are affected. This includes all releases in that range as listed by the CNA.", "description_and_impact": "A flaw in the task management component of Sonatype Nexus Repository Manager allows an authenticated user who can create tasks to submit malicious data that is executed as code when the task runs. By crafting a vulnerability\u2011laden task, the attacker can bypass the nexus.scripts.allowCreation control and run arbitrary commands with the privileges of the Nexus process, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.4 signals a high\u2011magnitude risk. Exploitation requires the attacker to be authenticated and possess task creation rights, a permission typically held by developers or administrators. No public exploitation data is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Once the attacker submits a malicious task, code executes with the Nexus process privileges, giving the attacker full control over the server."}}}}, "created": "2026-04-09T08:16:17.517249+00:00", "updated": "2026-04-09T08:25:43.667798+00:00", "vendors": ["sonatype", "sonatype$PRODUCT$nexus_repository_manager"]}