How is CVE-2026-3329 exploited?

Network reachability (required): The attacker must reach the Nexus Repository Manager authentication endpoint over the network; no local or physical access is needed, but the service must be exposed. Authentication (not-required): No account or credentials of any kind are required to begin the attack; the attacker targets the login endpoint from an unauthenticated position. Victim interaction (not-required): No user action is needed; the attack is carried out entirely by the attacker against the service without any social-engineering step. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions, specific memory layout, or environmental prerequisites required.

What is the impact of CVE-2026-3329?

A successful attacker recovers plaintext or usable credentials for one or more Nexus user accounts. With valid credentials in hand, the attacker can authenticate as the compromised user and read any artifacts, repositories, or secrets that account can access. Account compromise may expose API tokens, build secrets, or private package contents stored in or accessible through the repository manager.

Back to search

HIGHCVE-2026-3329Published 2026-06-11Modified 2026-06-11CNA Sonatype

CVE-2026-3329: Nexus Repository Manager - Improper Restriction of Excessive Authentication Attempts

A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 3.93.0
Affected Products: 1

HarborGuard Analysis

Synopsis

Improper restriction of authentication attempts (credential brute-forcing) in Sonatype Nexus Repository Manager allows a remote, unauthenticated attacker to systematically guess user account credentials against the authentication endpoints. No prior account or special network position is required; the attacker only needs to reach the service over the network. Successful exploitation gives the attacker the ability to recover valid credentials and gain unauthorized access to user accounts, disclosing the data and permissions those accounts can reach. A patched-image rebuild at version 3.93.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-3329 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package Nexus Repository Manager. Any image running a version between 3.0.0 and 3.92.x is flagged in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this finding at CVSS v4.0 8.7 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Per-organization routing rules direct the alert to the appropriate team inbox, ensuring the right engineers see it without manual triage overhead.

Available

Patch

A patched-image rebuild at Nexus Repository Manager 3.93.0 becomes available through HarborGuard once the fix version is confirmed against the upstream release. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Nexus Repository Manager authentication endpoint over the network; no local or physical access is needed, but the service must be exposed.
AuthenticationNot required
No account or credentials of any kind are required to begin the attack; the attacker targets the login endpoint from an unauthenticated position.
Victim interactionNot required
No user action is needed; the attack is carried out entirely by the attacker against the service without any social-engineering step.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions, specific memory layout, or environmental prerequisites required.

Blast Radius

A successful attacker recovers plaintext or usable credentials for one or more Nexus user accounts.
With valid credentials in hand, the attacker can authenticate as the compromised user and read any artifacts, repositories, or secrets that account can access.
Account compromise may expose API tokens, build secrets, or private package contents stored in or accessible through the repository manager.

How HarborGuard Handles This

Available on HarborGuard: images running Nexus Repository Manager versions 3.0.0 through 3.92.x are flagged automatically within minutes of CVE ingestion. Where compliance policy permits, a rebuilt image at version 3.93.0 is made available, and for customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Until upgrade is complete, compensating controls worth considering include placing the Nexus authentication endpoint behind a network policy that restricts inbound access to known IP ranges, enabling account lockout or rate-limiting at the reverse-proxy layer if the application itself does not enforce it, and auditing authentication logs for high-frequency failed login attempts against any account.

See how HarborGuard automates this

Fix available

3.93.0

Patch commits

help.sonatype.com

Affected packages

Sonatype / Nexus Repository Manager
< 3.93.0 (from 3.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available