We recently disclosed two critical vulnerabilities affecting older versions of Sonatype Nexus Repository:
-
CVE-2026-3199, CVSS 9.4: An authenticated remote code execution vulnerability that could allow an attacker with specific permissions to execute arbitrary code and potentially compromise the Nexus Repository server and its contents.
-
CVE-2026-5189, CVSS 9.2: A hardcoded credential vulnerability in an internal database component that, under affected conditions, could allow unauthorized access to the internal database and command execution on the host system.
These vulnerabilities affect older Nexus Repository OSS deployments and have already been addressed in newer Nexus Repository CE and Pro releases.
What you should do now:
Review your current Nexus Repository version and upgrade as soon as possible. If you are still using Nexus Repository OSS, move to Nexus Repository CE or Pro. If your deployment is still backed by OrientDB, make a plan to modernize with Nexus Repository Cloud or migrate to PostgreSQL.
Older deployments may still be working, but that does not mean they are secure, supportable, or ready for what comes next.
Read more about these CVEs, why they matter, and how to move forward: https://www.sonatype.com/blog/your-outdated-repository-still-works-but-it-may-not-be-safe