Auth bypass in Sonatype Nexus Repository 3
CVE-2026-14504
An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission c…
Vulnerability class: Broken Access Control
Affected products
- Sonatype Nexus Repository 3 — versions 3.88.0
Weakness classification (CWE)
References
- 103e4ec9-0a87-450b-af77-479448ddef11 (patch)
- 103e4ec9-0a87-450b-af77-479448ddef11 (vendor-advisory)