Sonatype Nexus Security Advisory
Date: June 16, 2026
Affected Versions: All Sonatype Nexus Repository 3.x CE/Pro versions before 3.92.0
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.92.0
Summary
A Remote Code Execution vulnerability (CVE-2026-10748) exists in the license installation functionality of Sonatype Nexus Repository Manager 3. An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file that causes the server to execute arbitrary operating system commands as the Nexus process user. Successful exploitation results in full server compromise.
This vulnerability is fixed in version 3.92.0. Customers are strongly encouraged to upgrade immediately.
At the time of this advisory, Sonatype is not aware of active exploitation of this vulnerability in the wild.
Recommendation
We are highly recommending all affected instances of Sonatype Nexus Repository 3 be upgraded to Nexus Repository version 3.92.0 or later. Download the latest version from the following location: https://help.sonatype.com/repomanager3/product-information/download
As an additional precaution, review who holds the nx-licensing-create privilege in your instance and ensure it is restricted to fully trusted administrators.
Credit
This issue was discovered and reported responsibly by Rahul Maini with Hacktron AI
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An attacker who exploits this vulnerability can execute arbitrary operating system commands on the server running Nexus Repository Manager, with the same privileges as the Nexus process. This can lead to full server compromise. This vulnerability is rated High (CVSS v4.0 score: 8.6).
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must be authenticated to Nexus Repository Manager and hold the nx-licensing-create privilege. By default, this privilege is assigned to the administrator role, but it can be delegated to other users. All Nexus Repository Manager 3.x versions prior to 3.92.0 are affected regardless of operating system or deployment type.
Q: Are there implications associated with this advisory itself?
A: Yes. Public disclosure of security vulnerabilities can enable malicious actors to develop exploits and target unpatched systems. Organizations should assess their exposure and take appropriate action by upgrading to version 3.92.0 as soon as possible.
Q: Why is Sonatype making this information available?
A: Sonatype follows responsible disclosure practices and coordinates with security researchers to ensure vulnerabilities are fixed before public disclosure. We proactively notify customers to ensure they can protect their systems before malicious actors can develop and deploy exploits.