Nexus Repository patches hard-coded credential enabling unauthenticated commands
TL;DR — A hard-coded credential in Nexus Repository 3’s internal database component can enable unauthenticated attackers to execute commands on the host if the OrientDB binary listener is enabled.
What happened
Sonatype Nexus Repository is a widely deployed artifact repository manager used to proxy, store, and publish build outputs (e.g., Maven, npm, Docker) in CI/CD pipelines.
Sonatype published an advisory for CVE-2026-5189, describing a hardcoded credential in an internal database component that could allow an unauthenticated attacker with network access to gain unauthorized access to Nexus Repository’s internal database and execute commands on the host system.
A key constraint called out by Sonatype: exploitation requires a non-default configuration. Specifically, customers who have not enabled the OrientDB binary listener are stated to be not affected.
Why this matters: compromise of an artifact repository is a direct software supply chain risk — it can impact downstream builds, published dependencies, and developer trust boundaries across multiple teams.
Who is impacted
- Deployments running Sonatype Nexus Repository 3.x CE/Pro where the OrientDB binary listener has been explicitly enabled.
- Sonatype states the affected range is 3.0.0 through 3.70.5.
| Product | Affected versions (per vendor) | Fixed version (per vendor) |
|---|---|---|
Sonatype Nexus Repository 3.x (CE/Pro) | 3.0.0 through 3.70.5 | 3.71.0 |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"Customers using Nexus Repository 3 versions 3.0.0 through 3.70.5 should upgrade to version 3.71.0 or later"
- Review whether the vulnerable exposure condition is present in your deployment configuration.
"review their
nexus.propertiesconfiguration file for the presence ofnexus.orient.binaryListenerEnabled=true" - If the setting is present, validate whether it’s required for your environment; Sonatype explicitly describes removing it as an immediate mitigation when not needed.
"If this setting is present and not required, it should be removed as an immediate mitigation measure."
- Treat this as a supply-chain incident-prep scenario: inventory which build systems and release pipelines trust this Nexus instance, and ensure you can rapidly rotate credentials/tokens used by CI if compromise is suspected.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.