CVE-2026-3329

Vulnerability

CVE-2026-3329 is a vulnerability in Sonatype Nexus Repository that allows a remote unauthenticated attacker to conduct credential-guessing attacks against user accounts via authentication endpoints. The issue affects versions 3.91.x through 3.93.0, as noted in the release notes for version 3.93.0 [1]. The vulnerability resides in the authentication mechanism, where no rate limiting or account lockout protections are applied to login attempts, enabling brute-force attacks.

Exploitation

An attacker can exploit this vulnerability by sending a high volume of login requests to the authentication endpoints of an affected Nexus Repository instance. No authentication or prior access is required; the attacker only needs network connectivity to the target server. The attacker can systematically guess passwords for known or enumerated usernames, leveraging the lack of rate limiting to perform credential-stuffing or brute-force attacks.

Impact

Successful exploitation allows the attacker to gain unauthorized access to user accounts, potentially including administrative accounts. This can lead to full compromise of the Nexus Repository instance, including access to stored artifacts, configuration data, and the ability to modify or delete repositories. The impact is high, as it affects confidentiality, integrity, and availability of the system.

Mitigation

Sonatype released Nexus Repository version 3.93.0 on June 4, 2026, which addresses this vulnerability [1]. Users should upgrade to version 3.93.0 or later. For deployments that cannot immediately upgrade, administrators should implement network-level access controls to restrict access to authentication endpoints, enable multi-factor authentication if available, and monitor logs for suspicious login activity. No workaround is provided in the available references.