Volerion logoVolerion
Volerion logoVolerion

Sonatype Nexus Repository Hard-Coded Credential Vulnerability Allowing Unauthorized Database Access and Command Execution

Vulnerability

A vulnerability exists in Sonatype Nexus Repository Manager versions 3.0.0 prior to 3.70.5, due to hard-coded credentials in an internal database component. This flaw allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary operating system commands as the Nexus process user. Exploitation of this vulnerability requires the non-default 'nexus.orient.binaryListenerEnabled=true' configuration to be enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the internal database and allow for arbitrary command execution on the host system as the Nexus process user.

Remediation

Users are advised to upgrade to Sonatype Nexus Repository version 3.71.0 or later. Additionally, review the 'nexus.properties' configuration file for the 'nexus.orient.binaryListenerEnabled=true' setting. If this setting is present and not required, it should be removed.

Added: Apr 15, 2026, 8:18 PM
Updated: Apr 15, 2026, 8:18 PM

Vulnerability Rating

Custom Algorithm
spread
6.2
impact
7.5
exploitability
6.6
remediation
7.9
relevance
6.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.