CVE-2026-3329
published 2026-06-11CVE-2026-3329: A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication…
PriorityP259high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.50%
39.1th percentile
A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonatype | nexus_repository_manager | >= 3.0.0 < 3.93.0 | 3.93.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
ghsa_unreviewed·2026-06-11
CVE-2026-3329 [HIGH] CWE-307 A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
VulDB
Sonatype Nexus Repository Manager up to 3.92.x excessive authentication
vuldb·2026-06-11·CVSS 8.7
CVE-2026-3329 [HIGH] Sonatype Nexus Repository Manager up to 3.92.x excessive authentication
A vulnerability, which was classified as problematic, was found in Sonatype Nexus Repository Manager up to 3.92.x. The affected element is an unknown function. Such manipulation leads to improper restriction of excessive authentication attempts.
This vulnerability is uniquely identified as CVE-2026-3329. The attack can be launched remotely. No exploit exists.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-11
Published