CVE-2026-3048

Description

An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP server.

PUBLISHED Reserved 2026-02-23 | Published 2026-05-11 | Updated 2026-05-11 | Assigner Sonatype

Problem types

CWE-502 Deserialization of Untrusted Data

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Credits

Icare (@Icare1337) finder

References

help.sonatype.com/...us-repository-3-92-0-release-notes.html patch

support.sonatype.com/hc/en-us/articles/51591695462675 vendor-advisory

cve.org (CVE-2026-3048)

nvd.nist.gov (CVE-2026-3048)

Download JSON