CVE-2026-14504
Received Received - Intake

Authorization Bypass in Nexus Repository 3 Artifact Upload

Vulnerability report for CVE-2026-14504, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Sonatype

Description

An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
sonatype nexus_repository 3.94.0
sonatype nexus_repository to 3.94.0 (exc)
sonatype nexus_repository to 3.93.x (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

If you use Sonatype Nexus Repository 3 with Swift, Terraform, or Conda hosted repositories, this vulnerability could allow unauthorized users to upload malicious or unintended artifacts to your repositories.

  • Attackers with read/browse access (including anonymous users if enabled) could exploit this to upload harmful components, leading to supply chain attacks or repository corruption.
  • This could result in downstream systems consuming compromised or malicious artifacts, potentially leading to further security breaches or operational disruptions.

If anonymous access is enabled, unauthenticated attackers could also exploit this vulnerability, increasing the risk of unauthorized modifications to your repositories.

Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the context of your organization and the data stored or processed through Nexus Repository.

  • GDPR: If the repository contains or processes personal data, unauthorized uploads could lead to data breaches or unauthorized access to sensitive information, violating GDPR's data protection requirements.
  • HIPAA: For organizations handling protected health information (PHI), unauthorized modifications to repositories could result in data integrity issues or unauthorized disclosures, potentially violating HIPAA's security and privacy rules.
  • Other standards like ISO 27001 or SOC 2 may also be affected, as this vulnerability undermines access control and data integrity, which are key requirements for these frameworks.

Failure to address this vulnerability could lead to non-compliance findings during audits or regulatory reviews, especially if the repository is part of a critical system handling sensitive data.

Detection Guidance

To detect this vulnerability on your network or system, you can check for suspicious upload activity in the Nexus Repository audit logs. The vulnerability affects the API endpoint POST /service/rest/v1/components, so monitoring this endpoint for unauthorized upload attempts is critical.

  • Review Nexus Repository audit logs for unexpected or unauthorized component uploads to Swift, Terraform, or Conda hosted repositories. Look for entries involving the POST /service/rest/v1/components endpoint.
  • Check the version of Nexus Repository 3 running in your environment. If it is between 3.88.0 and 3.93.x, it is vulnerable. You can verify the version by accessing the Nexus Repository admin interface or checking the version file in the installation directory.
  • Inspect user roles and permissions, particularly for users with read/browse privileges on Swift, Terraform, or Conda repositories. Ensure no unnecessary read/browse permissions are granted.
  • If anonymous access is enabled, verify whether the anonymous role has read/browse permissions on any Swift, Terraform, or Conda repositories. This could allow unauthenticated exploitation.

Commands or tools to assist in detection:

  • To check the Nexus Repository version via the command line, you can run: curl -u <username>:<password> http://<nexus-host>:<port>/service/rest/v1/status | grep version
  • To review audit logs for suspicious uploads, you can use grep or similar tools on the log files. For example: grep 'POST /service/rest/v1/components' /path/to/nexus/log/request.log
Mitigation Strategies

The following immediate steps can be taken to mitigate this vulnerability:

  • Upgrade to Nexus Repository 3 version 3.94.0 or later, as this version contains the fix for the vulnerability.
  • If upgrading is not immediately possible, revoke unnecessary read/browse permissions for users on Swift, Terraform, or Conda hosted repositories. Ensure only trusted users have these privileges.
  • Set repository write policies to DENY for users or roles that should not have upload permissions. This can be done via the Nexus Repository admin interface under the repository settings.
  • Monitor audit logs for suspicious upload requests to the POST /service/rest/v1/components endpoint. Investigate and block any unauthorized activity.
  • Disable global anonymous access if it is enabled. If anonymous access is required, ensure the anonymous role does not have read/browse permissions on Swift, Terraform, or Conda repositories.
Executive Summary

CVE-2026-14504 is an authorization bypass vulnerability in Sonatype Nexus Repository 3's component upload API. It affects Swift, Terraform, and Conda hosted repositories.

The vulnerability allows users with only read or browse privileges to upload arbitrary artifacts, bypassing the intended write-permission check. This occurs because the API endpoint POST /service/rest/v1/components does not properly enforce write permissions.

The issue impacts all versions of Nexus Repository 3 CE/Pro (3.88.0+) up to 3.93.x. It has been fixed in version 3.94.0.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14504. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart