Sonatype Nexus Security Advisory
Date: July 14, 2026
Affected Versions: Sonatype Nexus Repository 3 CE/Pro versions 3.0.0 up to and including 3.93.x
Fixed in Version: Sonatype Nexus Repository CE/Pro 3.94.0
CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N = 5.3 (Medium)
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Summary
A Server-Side Request Forgery (SSRF) vulnerability was identified in the SSL Certificate Retrieval feature of Sonatype Nexus Repository 3. A user holding the nexus:ssl-truststore:read permission could cause the server to initiate outbound network connections to hosts and ports of the attacker's choosing, including hosts on internal or otherwise restricted networks. This could be used to enumerate internal network hosts and services, and to retrieve TLS certificate information from those internal services.
Sonatype is not aware of any active exploitation of this vulnerability at the time of this announcement.
Recommendation
Upgrade to Sonatype Nexus Repository CE/Pro 3.94.0 or later, which validates certificate retrieval destinations against internal/private network ranges before establishing a connection.
Immediate Mitigation Options
Administrators who cannot upgrade immediately should restrict the nexus:ssl-truststore:read permission to trusted, administrative users only, reducing the pool of accounts that can trigger outbound connections through this feature.
Credit
This issue was discovered and reported responsibly by Muhamad Burhanudin via Sonatype's Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: A user holding the nexus:ssl-truststore:read permission could use the Nexus Repository server as a network pivot to probe internal hosts and ports, and to retrieve TLS certificate metadata (hostnames, organizational details, fingerprints) from internal services that are not otherwise reachable by the attacker.
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must hold the nexus:ssl-truststore:read permission within Nexus Repository.
Q: Are there implications associated with this advisory itself?
A: As with any public vulnerability disclosure, publishing details about this issue could help a malicious actor exploit unpatched systems. We strongly encourage all users to assess their exposure and apply the recommended fix as soon as possible.
Q: Why is Sonatype making this information available?
A: Sonatype follows a responsible disclosure process and proactively notifies our user community of vulnerabilities and their remediations so that they can take appropriate action to protect their systems.