PT-2026-33132 · Sonatype · Nexus Repository Manager

Published

2026-04-15

Updated

2026-04-16

CVE-2026-5189

CVSS v4.0

9.2

Critical

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5

Description Use of hard-coded credentials allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. This issue is exploitable when the non-default configuration nexus.orient.binaryListenerEnabled is set to true.

Recommendations Update to version 3.71.0. As a temporary workaround, ensure the nexus.orient.binaryListenerEnabled configuration is disabled.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2026-5189

Affected Products

Nexus Repository Manager

PT-2026-33132 · Sonatype · Nexus Repository Manager

CVE-2026-5189

Weakness Enumeration

Related Identifiers

Affected Products

References · 8