Home

Description

Nexus Repository 3 does not validate the destination of the "Webhook: Global" capability's configured URL before making an outbound HTTP request, allowing a user holding the Capability Administration permission to cause the server to send requests to internal network locations (Server-Side Request Forgery). This permission is granted by role assignment, independent of authentication status, so an unauthenticated user could also trigger this behavior if the anonymous role has been granted the permission.

PUBLISHED Reserved 2026-07-03 | Published 2026-07-14 | Updated 2026-07-14 | Assigner Sonatype




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

3.0.0 (semver) before 3.94.0
affected

Credits

Ky0toFu finder

References

help.sonatype.com/...us-repository-3-94-0-release-notes.html patch

support.sonatype.com/hc/en-us/articles/53158843564179/ vendor-advisory

cve.org (CVE-2026-14645)

nvd.nist.gov (CVE-2026-14645)

Download JSON