CVE-2026-14504

Summary

An authorization bypass in Nexus Repository 3's component upload API allowed a user with only read/browse privileges on a Swift, Terraform, or Conda hosted repository to upload arbitrary artifacts, bypassing the intended write-permission check.

Affected Software

VendorProductVersion RangeStatus
SonatypeNexus Repository 33.88.0 < 3.94.0affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

References