Description
An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check.
Published: 2026-07-14
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 16:15:00 +0000

Type Values Removed Values Added
Description An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check.
Title Nexus Repository 3 - Authorization Bypass in Component Upload API
First Time appeared Sonatype
Sonatype nexus Repository Manager
Weaknesses CWE-862
CPEs cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.89.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.4:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.91.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.91.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.93.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.93.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.93.2:*:*:*:*:*:*:*
Vendors & Products Sonatype
Sonatype nexus Repository Manager
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Sonatype Nexus Repository Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Sonatype

Published:

Updated: 2026-07-14T15:55:04.951Z

Reserved: 2026-07-02T18:20:34.196Z

Link: CVE-2026-14504

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses