Skip to main content

Nexus Repository 3 CVE-2026-14645

| EUVDEUVD-2026-43737 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-14 Sonatype GHSA-7364-vc59-2428
5.1
CVSS 4.0 · Vendor: Sonatype
Share

Severity by source

Vendor (Sonatype) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Network-accessible SSRF requiring Capability Admin privilege (PR:H); scope changes to internal systems justifying S:C with limited C:L and I:L against subsequent resources.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Sonatype).

CVSS VectorVendor: Sonatype

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 14, 2026 - 17:03 vuln.today

DescriptionCVE.org

Nexus Repository 3 does not validate the destination of the "Webhook: Global" capability's configured URL before making an outbound HTTP request, allowing a user holding the Capability Administration permission to cause the server to send requests to internal network locations (Server-Side Request Forgery). This permission is granted by role assignment, independent of authentication status, so an unauthenticated user could also trigger this behavior if the anonymous role has been granted the permission.

AnalysisAI

Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access Nexus web interface
Delivery
Authenticate with Capability Admin role (or exploit anonymous role misconfiguration)
Exploit
Configure Webhook Global URL to internal network address
Execution
Trigger qualifying Nexus repository event
Persist
Nexus server issues HTTP request to internal target
Impact
Observe response data or internal service interaction

Vulnerability AssessmentAI

Exploitation Exploitation requires the Capability Administration permission in Nexus Repository 3, which is a privileged role not granted by default to ordinary users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) with vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N accurately represents baseline risk when the instance is correctly hardened: exploitation requires the Capability Administration role, a non-trivial privilege. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the Capability Administration role - or operating anonymously on an instance where the anonymous role has been granted that permission - navigates to the Nexus administration UI, opens the Webhook Global capability configuration, and sets the webhook URL to an internal address such as http://169.254.169.254/latest/meta-data/ or http://internal-jenkins:8080/api/json. The next qualifying repository event causes the Nexus server to issue an HTTP GET to that address; depending on the webhook framework's error reporting, the attacker may observe the response content, enumerate open ports, or interact with internal services that trust the Nexus host. …
Remediation Upgrade Sonatype Nexus Repository 3 to version 3.94.0 or later, which introduces destination URL validation for the Webhook Global capability per the vendor release notes at https://help.sonatype.com/en/sonatype-nexus-repository-3-94-0-release-notes.html and security advisory at https://support.sonatype.com/hc/en-us/articles/53158843564179/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy