Nexus Repository Manager - Insufficient Entropy in Format-Specific API Key Generation
Summary
| CVE | CVE-2026-11403 |
|---|---|
| State | PUBLISHED |
| Assigner | Sonatype |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-14 16:16:44 UTC |
| Updated | 2026-07-14 16:16:44 UTC |
| Description | A vulnerability in Sonatype Nexus Repository Manager's format-specific API key generation may allow a remote attacker to gain unauthorized access to repository operations as a targeted user. A format-specific API key realm (NuGet API Key, Docker Bearer Token, or npm Bearer Token) must be enabled and the targeted user must have an active API key for this vulnerability to be exploitable. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from 103e4ec9-0a87-450b-af77-479448ddef11
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-331 | CWE-331 CWE-331 Insufficient entropy
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 103e4ec9-0a87-450b-af77-479448ddef11 | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
NoneAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Sonatype | Nexus Repository Manager | affected 3.0.0 3.93.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| help.sonatype.com/en/sonatype-nexus-repository-3-93-0-release-notes.html | 103e4ec9-0a87-450b-af77-479448ddef11 | help.sonatype.com | |
| support.sonatype.com/hc/en-us/articles/52347011450515 | 103e4ec9-0a87-450b-af77-479448ddef11 | support.sonatype.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Sanjok Karki (@thesanjok) of National Forensic Sciences University, Goa. (en)
There are currently no legacy QID mappings associated with this CVE.