Sonatype Nexus Security Advisory
Date: July 14, 2026
Affected Versions: All Sonatype Nexus Repository 3 CE/Pro versions from 3.0.0 up to and including 3.93.x
Fixed in Version: Sonatype Nexus Repository 3 CE/Pro version 3.94.0
CVSS: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N = 4.9 (Medium)
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Sonatype Guide: https://guide.sonatype.com/vulnerability/CVE-2026-14646
Summary
Nexus Repository 3 did not apply its existing Server-Side Request Forgery (SSRF) protections to HTTP redirect targets returned by proxy repository upstream servers. Any user with read access to a proxy repository backed by an attacker-controlled or compromised upstream server - including an anonymous user, if anonymous access is enabled - could receive a response from an internal network address or cloud metadata endpoint as repository content, potentially exposing sensitive information such as cloud IAM credentials.
Recommendation
Upgrade to Sonatype Nexus Repository 3 CE/Pro version 3.94.0 or later. Downloads are available at https://help.sonatype.com/en/download.html
If your Nexus instance runs in a cloud environment (AWS, GCP, Azure) and could have been exposed to this issue, consider rotating any instance/IAM credentials accessible via the cloud metadata service as a precaution.
Immediate Mitigation Options
Until you are able to upgrade, restrict proxy repository upstream configurations to trusted, known hosts, and avoid enabling anonymous or broad read access on proxy repositories pointed at third-party or partner-controlled servers.
Credit
This issue was discovered and reported responsibly by e0x1337 (elite) via Sonatype's Bug Bounty Program.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An attacker who controls or compromises a server configured as a proxy repository's upstream could cause Nexus Repository to fetch and return content from internal network addresses or cloud metadata endpoints, potentially exposing sensitive information such as cloud IAM credentials to the requesting user.
Q: What preconditions must be met in order to be vulnerable?
A: The Nexus Repository instance must have a proxy repository configured with an upstream that is malicious or has been compromised, and the requesting account must have read access to that proxy repository. This includes the anonymous user if granted read access to the affected proxy repository.
Q: Are there implications associated with this advisory itself?
A: As with any vulnerability disclosure, publishing details could help bad actors craft exploits against systems that have not yet been updated. We recommend assessing your exposure and applying the fixed version promptly.
Q: Why is Sonatype making this information available?
A: Sonatype follows a responsible disclosure process and proactively notifies customers of vulnerabilities that may affect them, along with guidance for remediation.