Sonatype Nexus Security Advisory
Date: July 14, 2026
Affected Versions: All previous Sonatype Nexus Repository 3 CE/Pro versions with Terraform hosted repositories (3.88.0+), Swift hosted repositories (3.89.0+), or Conda hosted repositories (3.91.0+), up to and including 3.93.x
Fixed in Version: Sonatype Nexus Repository 3 CE/Pro version 3.94.0
CVSS: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N = 8.2 (High)
CWE: CWE-862: Missing Authorization
Sonatype Guide: https://guide.sonatype.com/vulnerability/CVE-2026-14504
Summary
An authorization bypass vulnerability was discovered in the Sonatype Nexus Repository 3 component upload API. A principal holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository could upload new artifacts to that repository via POST /service/rest/v1/components, despite lacking write (edit) permissions.
An unconfigured Nexus Repository 3 instance defaults to anonymous access disabled for every version in this advisory’s affected range, so exploitation typically requires an authenticated account. Administrators are prompted to make an explicit choice about anonymous access during first-login setup, and that choice persists for the life of the instance regardless of version. On any instance where anonymous access has been explicitly enabled, an unauthenticated attacker can exploit this vulnerability with no credentials at all, because the default anonymous role is granted read/browse access to all repositories. See the FAQ below for details.
Sonatype is not aware of any active exploitation of this vulnerability at the time of this announcement.
Recommendation
Sonatype recommends all users upgrade to Sonatype Nexus Repository 3 CE/Pro version 3.94.0 or later, available at https://help.sonatype.com/en/download.html
Immediate Mitigation Options
Users who cannot upgrade immediately can reduce exposure by:
- Reviewing role assignments and revoking unnecessary read/browse grants on Swift, Terraform, and Conda hosted repositories.
- Setting the repository write policy to
DENYon affected hosted repositories to block all uploads until the upgrade is applied (this also blocks legitimate uploads). - Monitoring audit logs for
POST /service/rest/v1/componentsrequests originating from accounts that hold only browse/read roles on Swift, Terraform, or Conda repositories, or from theanonymousprincipal. - If global anonymous access is enabled and not required, disabling it (Administration > Security > Anonymous Access) removes the unauthenticated attack path entirely until the upgrade is applied.
Credit
This issue was discovered and reported responsibly by muhammaddaffa via Sonatype’s Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An attacker with only read/browse access to an affected hosted repository could upload arbitrary artifacts, allowing unauthorized artifact publication. Downstream consumers pulling from the repository could receive attacker-controlled content.
Q: What preconditions must be met in order to be vulnerable?
A: The instance must have a Swift, Terraform, or Conda hosted repository configured. The attacker must be able to obtain at least read/browse access to that repository - either through a valid authenticated account holding read/browse privileges, or, if the instance has global anonymous access enabled, with no account at all (see next question).
Q: Can an anonymous (unauthenticated) user exploit this vulnerability?
A: It depends on whether anonymous access has been enabled on the instance. Administrators are prompted to make an explicit choice about anonymous access during first-login setup, and that choice persists for the life of the instance regardless of version. For an instance where this has never been explicitly configured, the unconfigured default is disabled for every version in this advisory’s affected range. However, on any instance where anonymous access has been explicitly enabled (a supported configuration option, commonly used to allow unauthenticated read-only browsing), the default anonymous role is granted read/browse access to every repository and format by default. On such instances, this vulnerability is exploitable by a fully unauthenticated attacker with no credentials. Administrators who have anonymous access enabled should treat this as an unauthenticated, network-exploitable vulnerability and prioritize the upgrade or mitigations accordingly.
Q: Are there implications associated with this advisory itself?
A: As with any vulnerability disclosure, publishing details could help a bad actor craft an exploit before all users have upgraded. Sonatype recommends assessing your exposure and applying the fix promptly.
Q: Why is Sonatype making this information available?
A: Sonatype follows a responsible disclosure process and proactively notifies customers of vulnerabilities affecting supported products so they can take timely action.