Authorization Bypass in Nexus Repository by Sonatype
CVE-2026-14504

8.2HIGH

Key Information:

Vendor

Sonatype

Vendor
CVE Published:
14 July 2026

What is CVE-2026-14504?

An authorization bypass in Sonatype's Nexus Repository 3 has been identified, affecting the component upload API. This vulnerability enables users with merely read or browse privileges on Swift, Terraform, or Conda hosted repositories to upload unauthorized artifacts. The issue lies in the ineffective enforcement of write-permission checks, which can lead to potential security breaches and unauthorized access to sensitive repository data.

Affected Version(s)

Nexus Repository 3 3.88.0 < 3.94.0

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

muhammaddaffa
.