An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check.

Project Subscriptions

Vendors Products
Sonatype Subscribe
Nexus Repository Manager Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 14 Jul 2026 16:15:00 +0000

Type Values Removed Values Added
Description An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check.
Title Nexus Repository 3 - Authorization Bypass in Component Upload API
First Time appeared Sonatype
Sonatype nexus Repository Manager
Weaknesses CWE-862
CPEs cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.89.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.90.4:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.91.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.91.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.2:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.92.3:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.93.0:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.93.1:*:*:*:*:*:*:*
cpe:2.3:a:sonatype:nexus_repository_manager:3.93.2:*:*:*:*:*:*:*
Vendors & Products Sonatype
Sonatype nexus Repository Manager
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Sonatype

Published:

Updated: 2026-07-14T15:55:04.951Z

Reserved: 2026-07-02T18:20:34.196Z

Link: CVE-2026-14504

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T18:15:14Z

Weaknesses