Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10748

CVE-2026-10748: Sonatype Nexus Repository 3 RCE Flaw

CVE-2026-10748 is a remote code execution vulnerability in Sonatype Nexus Repository 3 allowing authenticated users to execute arbitrary OS commands via malicious license files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-10748 Overview

CVE-2026-10748 is a high-severity command injection vulnerability in Sonatype Nexus Repository 3 versions prior to 3.92.0. An authenticated user holding the nx-licensing-create privilege can upload a specially crafted license file that triggers arbitrary operating system command execution as the Nexus process user. The flaw is classified under CWE-502: Deserialization of Untrusted Data, indicating that license file parsing does not safely handle attacker-controlled content. Sonatype addressed the issue in the 3.92.0 release.

Critical Impact

A privileged authenticated attacker can execute arbitrary OS commands on the Nexus host, leading to repository compromise, supply chain tampering, and lateral movement within the build infrastructure.

Affected Products

  • Sonatype Nexus Repository 3, all versions prior to 3.92.0
  • Self-hosted Nexus Repository deployments where licensing features are enabled
  • Instances exposing the licensing API to users with the nx-licensing-create privilege

Discovery Timeline

  • 2026-06-16 - CVE-2026-10748 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-10748

Vulnerability Analysis

The vulnerability resides in the license upload functionality of Sonatype Nexus Repository 3. License files are parsed by the application in a way that does not safely isolate untrusted data, as indicated by the CWE-502 classification. When a user with the nx-licensing-create privilege submits a crafted license artifact, the parsing path allows attacker-controlled content to influence object construction or command invocation. The result is arbitrary OS command execution under the identity of the Nexus runtime process.

Nexus typically runs with elevated access to repository storage, build pipelines, and proxy credentials. Code execution in this context can lead to artifact tampering, credential theft, and downstream supply chain attacks against consumers of the repository.

Root Cause

The root cause is unsafe deserialization or processing of attacker-controlled data inside the license file handler. The application trusts the structure and content of the uploaded file beyond what is safe, enabling gadget chains or command construction during parsing.

Attack Vector

The attack vector is network-based but requires high privileges. The attacker must already hold the nx-licensing-create permission, which is normally reserved for administrators. No user interaction is needed once the malicious license is uploaded. Successful exploitation yields execution as the Nexus process user, with full read and write access to repository data on disk.

No public proof-of-concept code has been verified for this CVE. Refer to the Sonatype Support Article for vendor-published technical details.

Detection Methods for CVE-2026-10748

Indicators of Compromise

  • Unexpected child processes spawned by the Nexus Java process, such as sh, bash, cmd.exe, or powershell.exe
  • Audit log entries showing license uploads from non-administrative or unusual user accounts
  • New or modified files in the Nexus working directory shortly after a license upload event
  • Outbound network connections from the Nexus host to untrusted destinations following a licensing API call

Detection Strategies

  • Monitor the Nexus audit log for POST requests to license endpoints and correlate with the uploading account's role assignments
  • Alert on process lineage where the Nexus JVM spawns shell interpreters or scripting hosts
  • Inspect uploaded license files for non-standard structures, embedded serialized objects, or unexpected size deviations

Monitoring Recommendations

  • Forward Nexus application and audit logs to a centralized SIEM for retention and correlation
  • Track all accounts assigned the nx-licensing-create privilege and alert on additions
  • Baseline normal child-process behavior of the Nexus service and flag deviations

How to Mitigate CVE-2026-10748

Immediate Actions Required

  • Upgrade Sonatype Nexus Repository 3 to version 3.92.0 or later as documented in the release notes
  • Audit user accounts holding the nx-licensing-create privilege and revoke it from any non-administrative accounts
  • Rotate credentials, tokens, and signing keys stored on or accessible to the Nexus host if compromise is suspected
  • Restrict network access to the Nexus administrative interface to trusted management subnets

Patch Information

Sonatype released the fix in Nexus Repository 3.92.0. Administrators should apply the upgrade following the standard procedure described in the Sonatype 3.92.0 Release Notes and the corresponding Sonatype Support Article.

Workarounds

  • Limit the nx-licensing-create privilege strictly to a minimal set of trusted administrative users until patching is complete
  • Enforce multi-factor authentication on all Nexus administrative accounts to reduce the risk of credential-based abuse
  • Place the Nexus administrative endpoints behind a reverse proxy or VPN that restricts access by source IP
  • Run the Nexus service under a dedicated low-privilege OS account with no sudo rights and limited filesystem access

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.