Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible SSRF requiring Capability Admin privilege (PR:H); scope changes to internal systems justifying S:C with limited C:L and I:L against subsequent resources.
Primary rating from Vendor (Sonatype).
CVSS VectorVendor: Sonatype
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Nexus Repository 3 does not validate the destination of the "Webhook: Global" capability's configured URL before making an outbound HTTP request, allowing a user holding the Capability Administration permission to cause the server to send requests to internal network locations (Server-Side Request Forgery). This permission is granted by role assignment, independent of authentication status, so an unauthenticated user could also trigger this behavior if the anonymous role has been granted the permission.
AnalysisAI
Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Capability Administration permission in Nexus Repository 3, which is a privileged role not granted by default to ordinary users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) with vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N accurately represents baseline risk when the instance is correctly hardened: exploitation requires the Capability Administration role, a non-trivial privilege. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the Capability Administration role - or operating anonymously on an instance where the anonymous role has been granted that permission - navigates to the Nexus administration UI, opens the Webhook Global capability configuration, and sets the webhook URL to an internal address such as http://169.254.169.254/latest/meta-data/ or http://internal-jenkins:8080/api/json. The next qualifying repository event causes the Nexus server to issue an HTTP GET to that address; depending on the webhook framework's error reporting, the attacker may observe the response content, enumerate open ports, or interact with internal services that trust the Nexus host. … |
| Remediation | Upgrade Sonatype Nexus Repository 3 to version 3.94.0 or later, which introduces destination URL validation for the Webhook Global capability per the vendor release notes at https://help.sonatype.com/en/sonatype-nexus-repository-3-94-0-release-notes.html and security advisory at https://support.sonatype.com/hc/en-us/articles/53158843564179/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nexus Repository 3
View allAuthorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse priv
SSRF protections in Sonatype Nexus Repository 3 are bypassed when proxy repository upstream servers return HTTP redirect
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43737
GHSA-7364-vc59-2428