Sonatype Nexus Security Advisory
Date: July 14, 2026
Affected Versions: All Sonatype Nexus Repository 3.x CE/Pro versions before 3.93.0
Fixed in Version: Sonatype Nexus Repository Manager CE/Pro 3.93.0
CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N = 8.7 (High)
CWE: CWE-331: Insufficient entropy
Sonatype Guide: https://guide.sonatype.com/vulnerability/CVE-2026-11403
Summary
A vulnerability in Sonatype Nexus Repository Manager's format-specific API key generation may allow a remote attacker to gain unauthorized access to repository operations as a targeted user. A format-specific API key realm (NuGet API Key, Docker Bearer Token, or npm Bearer Token) must be enabled and the targeted user must have an active API key for this vulnerability to be exploitable.
At the time of this advisory, Sonatype is not aware of this vulnerability being exploited in the wild.
Recommendation
Sonatype recommends all users upgrade to Sonatype Nexus Repository Manager 3.93.0 or later, available from the Sonatype downloads page.
After upgrading, users with active format-specific API keys (NuGet, Docker, npm, Conan) are encouraged to regenerate their keys. Newly generated keys will use the updated algorithm; existing keys remain valid but were generated with the previous algorithm.
Credit
This issue was discovered and reported responsibly by Sanjok Karki (@thesanjok) of National Forensic Sciences University, Goa. via Sonatype's Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An attacker who can identify a valid Nexus username may be able to recover that user's format-specific API key (used for NuGet, Docker, npm, or Conan authentication) and use it to authenticate as that user. This could allow unauthorized read access to repositories the targeted user has access to, or unauthorized write access to hosted repositories if the targeted user has publish permissions. API keys are independent of passwords and do not expire by default.
Q: What preconditions must be met in order to be vulnerable?
A: The following conditions must all be true:
(1) a format-specific API key realm (NuGet API Key, Docker Bearer Token, or npm Bearer Token) must be enabled on the Nexus instance;
(2) the targeted user must have an active API key for that realm; and
(3) the attacker must be able to identify or guess a valid username. Usernames may be visible in repository asset metadata.
Q: Are there implications associated with this advisory itself?
A: Publishing this advisory may make bad actors aware of this vulnerability. Sonatype recommends all affected users assess their exposure and take action (upgrade or apply mitigations) promptly.
Q: Why is Sonatype making this information available?
A: Sonatype follows a responsible disclosure process. We are making this information available so that customers can take informed action to protect their environments. We are proactively notifying customers through our standard security advisory channels.
Q: Do I need to regenerate my existing API keys after upgrading?
A: Existing API keys will continue to work after upgrading, as the fix only affects new key generation. However, Sonatype strongly recommends that users regenerate their format-specific API keys after upgrading to ensure all active keys benefit from the improved algorithm.