Sonatype is warning customers of a critical remote code execution vulnerability that allows adversaries to sidestep security controls and commandeer its Sonatype Nexus Repository.
The bug (CVE-2026-3199) is classified as a deserialization of untrusted data and impacts the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2. Mitigation includes updating to Sonatype Nexus Repository CE/Pro version 3.91.0.
An untrusted deserialization flaw happens when an application converts attacker-controlled data into usable program objects (data the app can act on) without proper checks, letting attackers run code, escalate privileges, or bypass security controls.
According to the CVE description attackers can remotely execute code with minimal effort and low access, taking control of systems, manipulating data, and causing disruption without any user action.
“Given the severity of this issue, organizations should prioritize upgrading to version 3.91.0 and assess whether any accounts with task creation permissions may have been misused prior to patching,” Sonatype wrote.
Wes Clemons of Millennium Corporation is credited for identifying the flaw via Sonatype’s Bug Bounty Program.
