Server-Side Request Forgery in Nexus Repository 3 by Sonatype
CVE-2026-14645

5.1MEDIUM

Key Information:

Vendor

Sonatype

Vendor
CVE Published:
14 July 2026

What is CVE-2026-14645?

The Nexus Repository 3 platform has a vulnerability due to insufficient validation of URLs configured for the 'Webhook: Global' feature. When a user with Capability Administration permission configures a webhook to an untrusted location, malicious actors can exploit this to send unauthorized outbound HTTP requests to internal network locations. This flaw can be triggered even by unauthenticated users where the anonymous role has been granted the necessary permissions, thus posing a significant risk to the security of internal systems.

Affected Version(s)

Nexus Repository 3 3.0.0 < 3.94.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ky0toFu
.