CVE-2026-3199 CRITICAL

CVE-2026-3199: Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection

Vendor Sonatype

Product Nexus Repository

Weakness CWE-502 · Unsafe deserialization

Published April 8, 2026

Last update April 9, 2026

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

What the vulnerability does

01Description

A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

April 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3199 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2025-6507 Deserialization of Untrusted Data in h2oai/h2o-3 CVE-2023-50223 Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability CVE-2026-2599 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' CVE-2023-40057 SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution CVE-2026-49121 AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization