Server-Side Request Forgery in Nexus Repository 3 by Sonatype
CVE-2026-14646
4.9MEDIUM
What is CVE-2026-14646?
Nexus Repository 3 has a vulnerability where existing Server-Side Request Forgery (SSRF) protections are not applied to HTTP redirect targets forwarded by proxy repository upstream servers. This flaw allows users with read access to a compromised proxy repository, including anonymous users, to receive potentially sensitive responses from internal network addresses or cloud metadata endpoints. Such exposures could lead to unauthorized access to sensitive information, including cloud IAM credentials, posing significant security risks.
Affected Version(s)
Nexus Repository 3 3.0.0 < 3.94.0
