Sonatype Nexus Security Advisory
Date: April 8, 2026
Affected Versions: Sonatype Nexus Repository 3.22.1 through 3.90.x (CE/Pro)
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.91.0
Summary
A vulnerability in the task management component of Sonatype Nexus Repository Manager allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing administrative script execution controls. Successful exploitation results in full compromise of the Nexus server and its contents.
This vulnerability is fixed in version 3.91.0. Customers are strongly encouraged to upgrade immediately.
Recommendation
Customers using Nexus Repository 3 versions 3.22.1 through 3.90.x should upgrade to version 3.91.0 or later as soon as possible. Download the latest version from https://help.sonatype.com/repomanager3/product-information/download.
Credit
This issue was discovered and reported responsibly by Wes Clemons of Millennium Corporation via Sonatype’s Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An authenticated attacker with task creation permissions can execute arbitrary code on the Nexus Repository server, bypassing a security control specifically designed to prevent this. Successful exploitation results in full compromise of the Nexus server and its contents.
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must be authenticated and hold a task management permission that may be delegated to regular users.
Q: Are there implications associated with this advisory itself?
A: Yes. Public disclosure of security vulnerabilities can enable malicious actors to develop exploits targeting unpatched systems. Given the severity of this issue, organizations should prioritize upgrading to version 3.91.0 and assess whether any accounts with task creation permissions may have been misused prior to patching.
Q: Why is Sonatype making this information available?
A: Sonatype follows responsible disclosure practices and coordinates with security researchers to ensure vulnerabilities are fixed before public disclosure. We proactively notify customers so they can protect their systems before malicious actors can develop and deploy exploits.