An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 14 Jul 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check. | |
| Title | Nexus Repository 3 - Authorization Bypass in Component Upload API | |
| First Time appeared |
Sonatype
Sonatype nexus Repository Manager |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.89.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.91.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.91.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.93.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.93.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.93.2:*:*:*:*:*:*:* |
|
| Vendors & Products |
Sonatype
Sonatype nexus Repository Manager |
|
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Sonatype
Published:
Updated: 2026-07-14T15:55:04.951Z
Reserved: 2026-07-02T18:20:34.196Z
Link: CVE-2026-14504
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T18:15:14Z
Weaknesses