Skip to main content

Nexus Repository 3

3 CVEs product

Monthly

CVE-2026-14646 MEDIUM PATCH This Month

SSRF protections in Sonatype Nexus Repository 3 are bypassed when proxy repository upstream servers return HTTP redirects, allowing those redirects to target internal network addresses or cloud metadata endpoints such as AWS IMDSv1. Any user with read access to an affected proxy repository - including anonymous users if anonymous access is enabled - can receive responses from internal infrastructure, potentially leaking cloud IAM credentials or other sensitive internal data. No public exploit or CISA KEV listing has been identified at time of analysis, but the condition relies on attacker-controlled or compromised upstream servers, making this a credible supply-chain-adjacent threat in enterprises relying on external upstream repositories.

SSRF Nexus Repository 3
NVD
CVSS 4.0
4.9
EPSS
0.3%
CVE-2026-14645 MEDIUM PATCH This Month

Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. No public exploit code exists and the vulnerability is not in CISA KEV, but risk escalates materially on instances where the anonymous role has been granted the Capability Administration permission, as this exposes the SSRF to unauthenticated actors without any configuration changes beyond that role assignment.

SSRF Nexus Repository 3
NVD
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-14504 HIGH PATCH This Week

Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.

Hashicorp Authentication Bypass Nexus Repository 3
NVD
CVSS 4.0
8.2
EPSS
0.3%
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

SSRF protections in Sonatype Nexus Repository 3 are bypassed when proxy repository upstream servers return HTTP redirects, allowing those redirects to target internal network addresses or cloud metadata endpoints such as AWS IMDSv1. Any user with read access to an affected proxy repository - including anonymous users if anonymous access is enabled - can receive responses from internal infrastructure, potentially leaking cloud IAM credentials or other sensitive internal data. No public exploit or CISA KEV listing has been identified at time of analysis, but the condition relies on attacker-controlled or compromised upstream servers, making this a credible supply-chain-adjacent threat in enterprises relying on external upstream repositories.

SSRF Nexus Repository 3
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. No public exploit code exists and the vulnerability is not in CISA KEV, but risk escalates materially on instances where the anonymous role has been granted the Capability Administration permission, as this exposes the SSRF to unauthenticated actors without any configuration changes beyond that role assignment.

SSRF Nexus Repository 3
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.

Hashicorp Authentication Bypass Nexus Repository 3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy