Sonatype Nexus Security Advisory
Date: 2026-04-15
Affected Versions: All Sonatype Nexus Repository 3.x CE/Pro versions 3.0.0 through 3.70.5
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.71.0
Summary
A hardcoded credential in an internal database component of Sonatype Nexus Repository Manager could allow an unauthenticated attacker with network access to gain unauthorized access to the internal database and execute commands on the host system.
Exploitation requires the OrientDB binary listener to be enabled. This listener is not enabled by default in standalone deployments.
In legacy HA-C mode (enabled via nexus.clustered=true), the OrientDB binary listener is automatically enabled. Therefore, this legacy clustering mode is affected by the vulnerability.
The currently supported high availability (HA) architecture does not automatically enable this listener.
Customers running in default (non-clustered) configurations or using the current HA architecture are not affected.
This vulnerability is fixed in version 3.71.0. Customers are strongly encouraged to upgrade immediately.
Recommendation
Customers using Nexus Repository 3 versions 3.0.0 through 3.70.5 should upgrade to version 3.71.0 or later as soon as possible. Download the latest version from https://help.sonatype.com/repomanager3/product-information/download.
Customers should also review their nexus.properties configuration file for the presence of nexus.orient.binaryListenerEnabled=true. If this setting is present and not required, it should be removed as an immediate mitigation measure.
Credit
This issue was discovered and reported responsibly by Shreyas Chavhan (HackerOne: @shreyaschavhan, Github: @shreyaschavhan, LinkedIn: @shreyaschavhan) via Sonatype’s Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An unauthenticated attacker who can reach the affected component over the network can gain unauthorized access to the Nexus Repository internal database and execute arbitrary commands on the host system as the Nexus process user.
Q: What preconditions must be met in order to be vulnerable?
A: The vulnerability affects Nexus Repository 3 versions 3.0.0 through 3.70.5. Exploitation requires that the OrientDB binary listener has been explicitly enabled via the nexus.orient.binaryListenerEnabled=true setting in nexus.properties. This is a non-default configuration. Customers who have not explicitly enabled this setting are not affected.
Q: Are there implications associated with this advisory itself?
A: Yes. Public disclosure of security vulnerabilities can enable malicious actors to develop exploits and target unpatched systems. Organizations should assess their exposure and take appropriate action by upgrading to version 3.71.0 or applying the mitigation steps described above as soon as possible.
Q: Why is Sonatype making this information available?
A: Sonatype follows responsible disclosure practices and coordinates with security researchers to ensure vulnerabilities are fixed before public disclosure. We proactively notify customers to ensure they can protect their systems before malicious actors can develop and deploy exploits.