Skip to main content

Nexus Repository CVE-2026-7494

| EUVDEUVD-2026-43744 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-14 Sonatype GHSA-jpvp-vqx9-22qg
5.3
CVSS 4.0 · Vendor: Sonatype
Share

Severity by source

Vendor (Sonatype) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.0 MEDIUM

Network-reachable endpoint exploitable by low-privilege users; scope change to subsequent systems captures internal SSRF pivot; no confidentiality or integrity impact on the Nexus host itself.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Sonatype).

CVSS VectorVendor: Sonatype

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 16:35 vuln.today
CVE Published
Jul 14, 2026 - 15:46 cve.org
MEDIUM 5.3

DescriptionCVE.org

Nexus Repository 3 is vulnerable to Server-Side Request Forgery (SSRF) via the SSL Certificate Retrieval endpoint. A user holding the nexus:ssl-truststore:read permission could cause the server to initiate outbound connections to internal or otherwise restricted network hosts. This issue affects Nexus Repository 3.0.0 through versions prior to 3.94.0.

AnalysisAI

Server-Side Request Forgery in Sonatype Nexus Repository 3 exposes internal network infrastructure to authenticated users holding the nexus:ssl-truststore:read permission, who can weaponize the SSL Certificate Retrieval endpoint to force the server to initiate outbound TCP connections to arbitrary hosts - including cloud metadata services, internal APIs, and otherwise firewalled systems. All versions from 3.0.0 up to (but not including) 3.94.0 are affected, and a vendor-released patch is available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Nexus account with nexus:ssl-truststore:read permission
Delivery
Craft request to SSL Certificate Retrieval endpoint with internal target address
Exploit
Server initiates outbound connection to internal host
Execution
Receive response or connection metadata
Impact
Enumerate internal services or harvest cloud metadata credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Nexus session with the nexus:ssl-truststore:read permission explicitly granted - this is not a default permission for all users and is typically restricted to administrators or security operators managing the trust store. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms this is network-exploitable with low complexity and no attack prerequisites beyond holding the nexus:ssl-truststore:read permission - substantially limiting the exposed population to users who have been explicitly granted that role. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a Nexus account holding the nexus:ssl-truststore:read permission submits a crafted request to the SSL Certificate Retrieval endpoint targeting an internal host - for example, the AWS EC2 instance metadata service at 169.254.169.254 or an internal Kubernetes API server. The Nexus server initiates a TCP connection and returns connection results or certificate data from the internal target, allowing the attacker to enumerate internal services, harvest cloud credentials from metadata endpoints, or map the internal network without needing direct network access to those hosts. …
Remediation Upgrade Sonatype Nexus Repository to version 3.94.0 or later, as documented in the official release notes at https://help.sonatype.com/en/sonatype-nexus-repository-3-94-0-release-notes.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy