Description
A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
Published: 2026-06-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote, unauthenticated attacker can exploit the Nexus Repository Manager authentication endpoints to perform credential‑guessing attempts. The vulnerability allows an attacker to repeatedly try login credentials without restriction, potentially leading to account compromise or unauthorized access to protected artifacts. The weakness is a classic example of CWE‑307, which describes insufficient protection against authentication failures. Successful exploitation could enable an attacker to retrieve or modify repository content, disrupt service availability or gain foothold for further lateral movement.

Affected Systems

Sonatype Nexus Repository Manager is affected. All versions listed in the CPE data, from early 3.1.0 up to 3.92.3, are potentially vulnerable. Administrators should verify their current Nexus version against this range and consider whether their deployment is within this spectrum.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, signifying substantial impact if exploited. While the EPSS score is not available, the absence of a Kaspersky Exploit Vulnerability (KEV) listing does not negate the risk; it simply means there is no confirmed exploitation at the time of reporting. Based on the description, the likely attack vector is a network‑based brute‑force attempt against exposed authentication services, requiring no special privileges from the attacker. The vulnerability therefore poses a significant risk of credential compromise if no mitigating controls are in place.

Generated by OpenCVE AI on June 11, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sonatype Nexus Repository Manager to the latest documented release (e.g., 3.93.0 or newer) to obtain the vendor’s fix for authentication rate limiting.
  • Enable or configure account lockout policies and IP‑based rate limiting to restrict repeated authentication attempts.
  • Implement strong password policies and, where possible, enforce multi‑fact‑authentication for all Nexus Repository users.

Generated by OpenCVE AI on June 11, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
Title Nexus Repository Manager - Improper Restriction of Excessive Authentication Attempts
First Time appeared Sonatype
Sonatype nexus Repository Manager
Weaknesses CWE-307
CPEs cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.70.4:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.70.5:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.73.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.74.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.75.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.75.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.76.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.76.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.77.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.78.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.78.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.79.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.80.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.81.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.82.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.84.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.85.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.86.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.87.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.87.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.87.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.89.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.89.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.91.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.91.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.3:*:*:*:*:*:*:*
Vendors & Products Sonatype
Sonatype nexus Repository Manager
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sonatype Nexus Repository Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Sonatype

Published:

Updated: 2026-06-11T18:52:18.659Z

Reserved: 2026-02-27T14:26:59.405Z

Link: CVE-2026-3329

cve-icon Vulnrichment

Updated: 2026-06-11T18:52:11.610Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T18:16:25.343

Modified: 2026-06-11T21:02:42.240

Link: CVE-2026-3329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:45:10Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts