CVE-2026-5189

UNKNOWN 0.0

Nexus Repository 3 - Hardcoded Credential in Internal Database Component

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitation requires the non-default nexus.orient.binaryListenerEnabled=true configuration to be enabled.

CWE	CWE-798
Vendor	sonatype
Product	nexus repository
Published	Apr 15, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for sonatype nexus repository

Be the first to know when new unknown vulnerabilities affecting sonatype nexus repository are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Sonatype / Nexus Repository

3.0.0 < 3.71.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

help.sonatype.com: https://help.sonatype.com/en/sonatype-nexus-repository-3-71-0-release-notes.html support.sonatype.com: https://support.sonatype.com/hc/en-us/articles/50817138825491

Credits

Shreyas Chavhan, HackerOne: @shreyaschavhan