Sonatype Nexus Security Advisory
Date: 2026-05-11
Affected Versions: Sonatype Nexus Repository 3.6.0 through 3.91.x (CE/Pro)
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.92.0
Summary
A vulnerability has been discovered in Nexus Repository 3 requiring action.
An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page. This could allow the attacker to perform actions in the context of the victim’s session.
We have mitigated the issue with an internal code change. This vulnerability was identified by an external researcher and has been verified by our security team.
Recommendation
We are highly recommending all affected instances of Sonatype Nexus Repository 3 be upgraded to Nexus Repository version 3.92.0 or later. Download the latest version from the following location: https://help.sonatype.com/repomanager3/download
Immediate Mitigation Options
Upgrading Nexus Repository is the recommended approach for eliminating this vulnerability. If you cannot upgrade immediately, consider the following temporary mitigations:
- Restrict upload permissions on hosted repositories to trusted users and service accounts only.
- Configure a reverse proxy or WAF to block or sanitize requests to the HTML browse endpoint (
/service/rest/repository/browse/) from untrusted networks.
Credit
This issue was discovered and reported responsibly by Ky0toFu (@Ky0toFu) via Sonatype’s Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An authenticated user with repository upload permissions may be able to perform actions in the context of another user’s session, potentially gaining access to functionality available to that user within the Nexus Repository instance.
Q: What preconditions must be met in order to be vulnerable?
A: An attacker must have authenticated access to a Nexus Repository instance (versions 3.6.0 through any version prior to 3.92.0) with permission to upload content to at least one hosted repository. A separate user must then browse the repository contents using the built-in HTML index page.
Q: Are there implications associated with this advisory itself?
A: Disclosure unfortunately means bad actors may try to take advantage. While we have initially limited the information to the minimum details necessary for users to affect an appropriate fix, this merely slows down a would-be attacker. As such, we are advising all organizations using Nexus Repository to immediately assess their individual impact and take appropriate action in response.
Q: Why is Sonatype making this information available?
A: This is part of a responsible disclosure process. Given that Sonatype Nexus Repository 3 is an open-source project with widespread usage, notifying the user base will invariably lead to broad dissemination. We are taking a concerted and proactive approach in our outreach activities in an effort to achieve the most rapid remediation possible.