Sonatype Nexus Security Advisory
Date: July 14, 2026
Affected Versions: All previous Sonatype Nexus Repository 3 CE/Pro versions up to and including 3.93.x
Fixed in Version: Sonatype Nexus Repository 3 CE/Pro version 3.94.0
CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N = 5.1 (Medium)
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Sonatype Guide: https://guide.sonatype.com/vulnerability/CVE-2026-14645
Summary
Sonatype Nexus Repository 3 does not validate the destination of the URL configured on the "Webhook: Global" capability before issuing an outbound HTTP request when the webhook fires. A user holding the Capability Administration permission can configure this URL to point at internal-only network locations, causing the server to send requests to those targets on the user's behalf (Server-Side Request Forgery). Note: Nexus Repository grants permissions by role assignment, independent of whether the request supplied credentials - if an administrator has granted this permission to the anonymous role, an unauthenticated client could also trigger this behavior.
Recommendation
Upgrade to Sonatype Nexus Repository 3 CE/Pro version 3.94.0 or later. Downloads are available at https://help.sonatype.com/en/download.html
Credit
This issue was discovered and reported responsibly by Ky0toFu - https://github.com/Ky0toFu via Sonatype's Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: A user holding the Capability Administration permission can cause the Nexus Repository server to issue outbound HTTP requests to internal-only network locations that are not otherwise reachable from outside the server's network, such as internal services, management interfaces, or cloud metadata endpoints.
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must hold the Capability Administration permission (nx-capabilities-*), which is restricted to administrators by default. This is a permission grant, not an authentication requirement - Nexus Repository does not distinguish between a logged-in user and the anonymous user when evaluating permissions, so if that permission has ever been granted to the anonymous role, no credentials are required to exploit this issue.
Q: Are there implications associated with this advisory itself?
A: As with any public vulnerability disclosure, publishing details could help a malicious actor exploit unpatched systems. We strongly recommend upgrading promptly and are disclosing this information to help administrators assess their exposure and take appropriate action.
Q: Why is Sonatype making this information available?
A: Sonatype follows a responsible disclosure process and proactively notifies customers of security issues so they can take timely action to protect their environments.