Server-Side Request Forgery in Nexus Repository 3 by Sonatype
CVE-2026-14645
5.1MEDIUM
What is CVE-2026-14645?
The Nexus Repository 3 platform has a vulnerability due to insufficient validation of URLs configured for the 'Webhook: Global' feature. When a user with Capability Administration permission configures a webhook to an untrusted location, malicious actors can exploit this to send unauthorized outbound HTTP requests to internal network locations. This flaw can be triggered even by unauthenticated users where the anonymous role has been granted the necessary permissions, thus posing a significant risk to the security of internal systems.
Affected Version(s)
Nexus Repository 3 3.0.0 < 3.94.0
