How is CVE-2026-10748 exploited?

Network reachability (required): The vulnerable license upload endpoint is exposed over the network, so the attacker must be able to reach the Nexus service via HTTP/HTTPS. Authentication (required): An account holding the nx-licensing-create privilege is required; a standard unprivileged account is not sufficient, but the privilege is narrower than full admin access. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends the crafted license file directly to the endpoint. Attack complexity (info): Attack complexity is low: exploitation is reliable and requires no race conditions, specific memory layout, or environmental preconditions beyond holding the required privilege.

What is the impact of CVE-2026-10748?

Arbitrary OS commands execute as the Nexus process user, giving the attacker a foothold on the underlying host. The attacker can read all repository artifacts, credentials, and secrets stored or cached by the Nexus process. The attacker can modify or delete repository contents, including hosted artifacts and proxied component metadata. The attacker can crash or destabilize the Nexus service, disrupting artifact availability for any downstream build pipelines that depend on it.

Back to search

HIGHCVE-2026-10748Published 2026-06-16Modified 2026-06-16CNA Sonatype

CVE-2026-10748: Nexus Repository 3 - Remote Code Execution via License Deserialization

An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 3.92.0
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a remote code execution vulnerability in Sonatype Nexus Repository 3 (all versions from 3.0.0 up to but not including 3.92.0) caused by unsafe deserialization of uploaded license files. An attacker who holds the nx-licensing-create privilege can upload a crafted license file and execute arbitrary operating system commands as the Nexus process user. Successful exploitation gives the attacker full control over the host process, including the ability to read, modify, or destroy repository contents and secrets. A patched-image rebuild at version 3.92.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both connected registries and CI/CD pipelines, including custom-built images that package Nexus Repository 3.

Available

Triage

HarborGuard scores this issue at CVSS 8.6 HIGH (v4.0) and is capable of weighting that score against each environment's compliance policy to prioritize urgency; routed findings land in the inbox of the team or workflow configured for that customer org.

Available

Patch

A patched-image rebuild pinned to Nexus Repository 3.92.0 becomes available on HarborGuard once the fix version is confirmed against affected images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable license upload endpoint is exposed over the network, so the attacker must be able to reach the Nexus service via HTTP/HTTPS.
AuthenticationRequired
An account holding the nx-licensing-create privilege is required; a standard unprivileged account is not sufficient, but the privilege is narrower than full admin access.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends the crafted license file directly to the endpoint.
Attack complexityDetail
Attack complexity is low: exploitation is reliable and requires no race conditions, specific memory layout, or environmental preconditions beyond holding the required privilege.

Blast Radius

Arbitrary OS commands execute as the Nexus process user, giving the attacker a foothold on the underlying host.
The attacker can read all repository artifacts, credentials, and secrets stored or cached by the Nexus process.
The attacker can modify or delete repository contents, including hosted artifacts and proxied component metadata.
The attacker can crash or destabilize the Nexus service, disrupting artifact availability for any downstream build pipelines that depend on it.

How HarborGuard Handles This

Available on HarborGuard: any image in a customer registry or pipeline that packages Nexus Repository 3 below version 3.92.0 is flagged within minutes of the CVE being published, including custom-built images. A rebuilt image at 3.92.0 is available for environments where the affected version is detected. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against the affected workload; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with CVSS scoring and policy-weighted priority attached. Because the privilege needed for exploitation (nx-licensing-create) is narrower than full admin, customers who have not yet patched should review role assignments and restrict that privilege to the minimum necessary accounts as a compensating control while the rebuild is staged.

See how HarborGuard automates this

Fix available

3.92.0

Patch commits

help.sonatype.com

Affected packages

Sonatype / Nexus Repository
< 3.92.0 (from 3.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available