Sonatype Nexus Security Advisory
Date: 2026-05-11
Affected Versions: Sonatype Nexus Repository 3.0.0 through 3.91.x (CE/Pro)
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.92.0
Summary
A vulnerability in the LDAP authentication component of Sonatype Nexus Repository Manager allows an authenticated administrator who configures or tests LDAP connectivity to initiate unintended server-side connections when interacting with a malicious LDAP server. Successful exploitation requires administrative access to the LDAP configuration and interaction with an attacker-controlled LDAP server.
This vulnerability is fixed in version 3.92.0. Customers are encouraged to upgrade. A workaround is available for those who cannot upgrade immediately.
Recommendation
Customers using Nexus Repository 3 versions 3.0.0 through 3.91.x should upgrade to version 3.92.0 or later. Download the latest version from https://help.sonatype.com/repomanager3/product-information/download.
Immediate Mitigation Options
For organizations that cannot upgrade immediately, the following configuration change prevents exploitation:
-
Disable LDAP referral following: Add the following property to
nexus.properties:nexus.ldap.env.java.naming.referral=ignore
This setting prevents the Nexus server from following LDAP referrals and eliminates the attack vector. The server will need to be restarted after applying this change.
- Restrict LDAP configuration access: Ensure that LDAP configuration permissions are granted only to highly trusted administrator accounts, reducing the pool of users who could trigger the vulnerability.
- Restrict network access: Limit access to the Nexus Repository management interface to trusted network segments or VPN-only access.
Credit
This issue was discovered and reported responsibly by Icare (@Icare1337) via Sonatype’s Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An authenticated administrator interacting with a malicious LDAP server while configuring or testing LDAP connectivity may cause the Nexus server to establish unintended outbound connections. The confirmed impact is limited.
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must either have administrative access to configure LDAP connectivity, or be able to influence an administrator to test connectivity against an attacker-controlled LDAP server. The vulnerability only affects instances where LDAP authentication is configured or being configured.
Q: Are there implications associated with this advisory itself?
A: Yes. Public disclosure of security vulnerabilities can enable malicious actors to target unpatched systems. Organizations should assess their exposure and apply the available mitigation or upgrade to 3.92.0.
Q: Why is Sonatype making this information available?
A: Sonatype follows responsible disclosure practices and coordinates with security researchers to ensure vulnerabilities are fixed before public disclosure. We proactively notify customers so they can protect their systems before malicious actors can develop and deploy exploits.