Home

Description

A vulnerability in Sonatype Nexus Repository Manager's format-specific API key generation may allow a remote attacker to gain unauthorized access to repository operations as a targeted user. A format-specific API key realm (NuGet API Key, Docker Bearer Token, or npm Bearer Token) must be enabled and the targeted user must have an active API key for this vulnerability to be exploitable.

PUBLISHED Reserved 2026-06-05 | Published 2026-07-14 | Updated 2026-07-14 | Assigner Sonatype




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-331 Insufficient entropy

Product status

Default status
unaffected

3.0.0 (semver) before 3.93.0
affected

Credits

Sanjok Karki (@thesanjok) of National Forensic Sciences University, Goa. finder

References

help.sonatype.com/...us-repository-3-93-0-release-notes.html patch

support.sonatype.com/hc/en-us/articles/52347011450515/ vendor-advisory

cve.org (CVE-2026-11403)

nvd.nist.gov (CVE-2026-11403)

Download JSON