Back to overview

CVE-2026-14645

MEDIUM
5.1
CVSS 4.0
Description
Nexus Repository 3 does not validate the destination of the "Webhook: Global" capability's configured URL before making an outbound HTTP request, allowing a user holding the Capability Administration permission to cause the server to send requests to internal network locations (Server-Side Request Forgery). This permission is granted by role assignment, independent of authentication status, so an unauthenticated user could also trigger this behavior if the anonymous role has been granted the permission.

Metadata

CVE ID
CVE-2026-14645
State
PUBLISHED
Assigner
Sonatype
Reserved
2026-07-03 17:56 UTC
Published
2026-07-14 16:33 UTC
Last updated
2026-07-15 15:13 UTC
Primary CWE
CWE-918
CWE-918 Server-Side Request Forgery (SSRF)
Vendor / Product
Sonatype / Nexus Repository 3
Sources
cve.org  ·  NVD

Severity & Metrics

5.1 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Sonatype Nexus Repository 3 3.0.0 < 3.94.0
Weakness (CWE)
CWESourceDescription
CWE-918 cna CWE-918 Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Back to overview