๐Ÿ” CVE Alert

CVE-2026-14646

UNKNOWN 0.0

Nexus Repository 3 - Server-Side Request Forgery (SSRF) via HTTP Redirect

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
18th

Nexus Repository 3 did not apply its existing Server-Side Request Forgery (SSRF) protections to HTTP redirect targets returned by proxy repository upstream servers. Any user with read access to a proxy repository backed by an attacker-controlled or compromised upstream server โ€” including an anonymous user, if anonymous access is enabled โ€” could receive a response from an internal network address or cloud metadata endpoint as repository content, potentially exposing sensitive information such as cloud IAM credentials.

CWE CWE-918
Vendor sonatype
Product nexus repository 3
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for sonatype nexus repository 3

Be the first to know when new unknown vulnerabilities affecting sonatype nexus repository 3 are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Sonatype / Nexus Repository 3
3.0.0 < 3.94.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
help.sonatype.com: https://help.sonatype.com/en/sonatype-nexus-repository-3-94-0-release-notes.html support.sonatype.com: https://support.sonatype.com/hc/en-us/articles/53165019641363/

Credits

e0x1337 (elite)