CVE-2026-7494
Received Received - Intake

Server-Side Request Forgery in Nexus Repository 3

Vulnerability report for CVE-2026-7494, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Sonatype

Description

Nexus Repository 3 is vulnerable to Server-Side Request Forgery (SSRF) via the SSL Certificate Retrieval endpoint. A user holding the nexus:ssl-truststore:read permission could cause the server to initiate outbound connections to internal or otherwise restricted network hosts. This issue affects Nexus Repository 3.0.0 through versions prior to 3.94.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
sonatype nexus_repository to 3.94.0 (exc)
sonatype nexus_repository 3.94.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-7494 is a Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3. The vulnerability exists in the SSL Certificate Retrieval endpoint.

A user with the nexus:ssl-truststore:read permission can exploit this flaw to force the server to initiate outbound connections to internal or restricted network hosts. This could allow attackers to probe internal networks, enumerate services, or retrieve TLS certificate details from otherwise unreachable internal services.

The vulnerability affects Nexus Repository versions 3.0.0 through 3.93.x and has been fixed in version 3.94.0.

Impact Analysis

If you are using an affected version of Nexus Repository 3, this vulnerability could have several impacts:

  • Attackers with the nexus:ssl-truststore:read permission could access internal or restricted network resources, potentially exposing sensitive information.
  • The server could be manipulated to make unauthorized outbound connections, which might be used to probe or attack internal systems.
  • An attacker could retrieve TLS certificate details from internal services, which might aid in further exploitation or reconnaissance.

This could lead to unauthorized access, data leaks, or further compromise of internal systems.

Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the context of your organization:

  • GDPR: If the SSRF vulnerability leads to unauthorized access to personal data or internal systems containing personal data, it could result in a data breach. GDPR requires organizations to implement appropriate security measures to protect personal data, and a failure to do so could lead to fines or penalties.
  • HIPAA: For organizations handling protected health information (PHI), this vulnerability could expose internal systems to unauthorized access. HIPAA requires safeguards to protect PHI, and a breach resulting from this vulnerability could lead to non-compliance and potential penalties.
  • Other standards like PCI DSS (for payment card data) or industry-specific regulations may also be impacted if the vulnerability exposes sensitive data or systems covered by these standards.

Organizations should assess the risk posed by this vulnerability and take appropriate remediation steps to maintain compliance with relevant regulations.

Detection Guidance

Detecting CVE-2026-7494 on your network or system involves monitoring for unusual outbound connections initiated by the Nexus Repository server, particularly to internal or restricted hosts. Since the vulnerability is exploited via the SSL Certificate Retrieval endpoint, you can check for suspicious activity by reviewing logs or network traffic.

  • Review Nexus Repository logs for unexpected outbound connection attempts. Look for entries related to SSL certificate retrieval requests that target internal or non-public IP addresses.
  • Use network monitoring tools to inspect traffic originating from the Nexus Repository server. Look for connections to unexpected or internal hosts, especially on ports commonly used for SSL/TLS (e.g., 443, 8443).
  • Check for the presence of the nexus:ssl-truststore:read permission in user roles. If this permission is assigned to untrusted users, it may indicate a potential risk.
  • Verify the version of Nexus Repository running in your environment. If it is between 3.0.0 and 3.93.x, it is vulnerable to this SSRF issue.

Example commands or tools to assist in detection:

  • Check Nexus Repository version: Navigate to the Nexus Repository admin interface or use the REST API to confirm the version. For example, you can use curl to query the API: curl -u admin:password http://<nexus-server>:8081/service/rest/v1/status
  • Inspect network traffic: Use tools like tcpdump or Wireshark to capture outbound traffic from the Nexus server. For example: sudo tcpdump -i eth0 -n src host <nexus-server-ip> and dst port 443
  • Review logs: Check the Nexus Repository request.log or other relevant logs for entries involving the SSL Certificate Retrieval endpoint. For example: grep -i "ssl.*certificate" /path/to/nexus/logs/request.log
Mitigation Strategies

To mitigate CVE-2026-7494, follow these immediate steps:

  • Upgrade to Nexus Repository version 3.94.0 or later. This version includes a fix that restricts certificate retrieval to valid destinations, preventing SSRF attacks.
  • If upgrading is not immediately possible, limit the nexus:ssl-truststore:read permission to only trusted users. Remove this permission from any untrusted or unnecessary roles.
  • Monitor and audit user permissions regularly to ensure that only authorized users have access to sensitive permissions like nexus:ssl-truststore:read.
  • Restrict outbound network traffic from the Nexus Repository server to only necessary destinations. Use firewall rules to block unexpected outbound connections to internal or restricted hosts.
  • Enable detailed logging for the SSL Certificate Retrieval endpoint to track and investigate any suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart