Sonatype Nexus Repository Flaws Enable Remote Code Execution and Database Compromise
Sonatype disclosed two high-severity vulnerabilities in Nexus Repository Manager 3 that can lead to arbitrary code execution. CVE-2026-3199 affects versions 3.22.1 through 3.90.2 and allows an authenticated user with task creation privileges to execute code through task property injection in the task management component. The flaw bypasses the nexus.scripts.allowCreation security control, indicating a failure in script-related policy enforcement, and has been mapped to CWE-502.
A second issue, CVE-2026-5189, affects versions 3.0.0 through 3.70.5 and stems from hard-coded credentials in an internal database component. If the non-default setting nexus.orient.binaryListenerEnabled=true is enabled, an unauthenticated network attacker can gain read and write access to the internal database and execute operating system commands as the Nexus process user. Sonatype linked the fixes to Nexus Repository 3.91.0 for CVE-2026-3199 and 3.71.0 for CVE-2026-5189, with both issues carrying high impact across confidentiality, integrity, and availability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-5189 is published for Nexus hardcoded credential vulnerability
A CVE entry was published for the Nexus Repository hard-coded credential issue and mapped it to CWE-798. The disclosure described unauthenticated exploitation conditions, affected versions, and high impact to confidentiality, integrity, and availability.
Sonatype fixes hardcoded credential flaw in Nexus Repository 3.71.0
Sonatype addressed a hard-coded credentials vulnerability affecting Nexus Repository Manager versions 3.0.0 through 3.70.5 in release 3.71.0. When the non-default setting nexus.orient.binaryListenerEnabled=true was enabled, the flaw could allow unauthenticated network attackers to access the internal database and execute OS commands as the Nexus process user.
CVE-2026-3199 is published for Nexus task property injection RCE
A CVE entry was published for the Nexus Repository task property injection vulnerability and mapped it to CWE-502. The disclosure stated that authenticated attackers with task creation permissions could achieve remote code execution with high impact across confidentiality, integrity, and availability.
Sonatype fixes task property injection RCE in Nexus Repository 3.91.0
Sonatype addressed an authenticated remote code execution flaw in the task management component of Nexus Repository in version 3.91.0. The issue affected versions 3.22.1 through 3.90.2 and allowed attackers with task creation permissions to execute arbitrary code by bypassing the nexus.scripts.allowCreation security control.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-5189 - Nexus Repository 3 - Hardcoded Credential in Internal Database Component
cvefeed.io
Open sourceCVE-2026-3199 - Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sonatype Nexus Repository Manager Flaws Enable XSS and Potential Code Execution
dCERT issued advisories for two vulnerabilities affecting **Sonatype Nexus Repository Manager**, warning that one flaw allows **cross-site scripting (XSS)** and another can **bypass security measures** and may lead to **potential code execution**. The issues affect a widely used artifact repository platform that often sits in software build and package distribution workflows. The paired advisories indicate risk ranging from browser-based compromise through XSS to more serious server-side impact if security controls can be circumvented. Organizations using Sonatype Nexus Repository Manager should review the relevant dCERT advisories, identify affected deployments, and prioritize vendor guidance and remediation to reduce exposure in development and supply-chain infrastructure.
May 12, 2026
Nexus Repository 3 RCE Lets Privileged Users Execute OS Commands
Sonatype disclosed **CVE-2026-10748**, a high-severity remote code execution flaw in **Nexus Repository 3** affecting versions before **3.92.0**. The vulnerability stems from unsafe deserialization in license handling and allows an authenticated user with the `nx-licensing-create` privilege to upload a crafted license file and execute arbitrary operating system commands as the Nexus process user. The issue carries a **CVSS 4.0 score of 8.6**. Organizations running Nexus Repository 3 are being urged to upgrade to **3.92.0 or later**, apply vendor patches, and tightly restrict assignment of the `nx-licensing-create` privilege to reduce exposure. A separate F5 advisory also noted **CVE-2026-42530** affecting the **NGINX `ngx_http_v3_module`**, but no technical synopsis was provided in the available reference.
Jun 17, 2026
Critical n8n Vulnerabilities Enabling RCE and Sandbox Escapes
Government cyber agencies in Belgium and Canada warned that **n8n** released security updates to address multiple **critical vulnerabilities** that could allow attackers to compromise workflow automation instances, particularly those exposed to the internet. The advisories emphasize that n8n often orchestrates actions across interconnected systems, increasing blast radius if compromised, and urge administrators to **patch immediately** to protect confidentiality, integrity, and availability. The Belgian CCB advisory highlights three critical CVEs—**CVE-2026-27495**, **CVE-2026-27577**, and **CVE-2026-27497** (each scored **CVSS 9.4**) affecting n8n versions prior to **2.10.1 / 2.9.3 / 1.123.22**, including issues mapped to **CWE-94 (code injection)** and **CWE-89 (SQL injection)**. It describes **sandbox escape leading to arbitrary code execution** in the JavaScript Task Runner (notably impacting the default internal Task Runner mode) and abuse of crafted workflow expressions by authenticated users with workflow modification permissions; Canada’s Cyber Centre advisory (AV26-176) additionally enumerates impacted components and attack classes including **RCE via Merge Node**, **expression sandbox escape to RCE**, **JavaScript Task Runner sandbox escape**, **unauthenticated expression evaluation via Form Node**, and **stored XSS across multiple nodes**, directing organizations to apply n8n’s upstream fixes.
May 25, 2026