Sonatype Nexus Security Advisory
Date: June 17th, 2026
Affected Versions: All Sonatype Nexus Repository 3.x versions from 3.1.0 through 3.92.x
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.93.0
Summary
An Incorrect Authorization vulnerability (CWE-863) has been identified in the proxy repository configuration of Sonatype Nexus Repository Manager. A user with delegated repository administrator privileges may be able to disclose stored upstream proxy credentials configured on that repository.
At the time of this advisory, Sonatype is not aware of any active exploitation of this vulnerability.
Recommendation
Upgrade to Sonatype Nexus Repository CE/Pro version 3.93.0 or later. Downloads are available at https://help.sonatype.com/en/download.html
Credit
This issue was discovered and reported responsibly by Ho Boon Suan via Sonatype's Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An authenticated user with delegated repository administrator privileges may be able to disclose credentials configured for upstream proxy sources on repositories they administer. This could expose credentials used to authenticate to private upstream package repositories or mirrors.
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must be an authenticated user with repository-scoped administrator privileges (nx-repository-admin-{format}-{name}-edit) on at least one proxy repository that has an upstream credential configured.
Q: Are there implications associated with this advisory itself?
A: Publishing this advisory may enable bad actors to attempt exploitation of unpatched instances. Customers should assess their exposure and take action to upgrade or apply mitigations promptly.
Q: Why is Sonatype making this information available?
A: Sonatype is committed to responsible disclosure. We proactively notify customers of security issues so they can take protective action. This advisory is released in coordination with the availability of a fixed version.