Description
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthorized arbitrary file deletion flaw in the nexent backend. The DELETE /{index_name}/documents endpoint in the ElasticSearch interface does not enforce authentication or authorization and accepts a user‑supplied path_or_url parameter without validation. An attacker who can send HTTP requests to the service can therefore delete any document from any ElasticSearch index and the corresponding file from the MinIO storage system. This results in permanent data loss and can disrupt system functionality, effectively denying legitimate use of the application. The weakness arises from improper access control.

Affected Systems

The affected product is the nexent backend service version 1.7.5.2. It relies on an ElasticSearch instance and MinIO object storage. Any deployment of this version, regardless of additional environment configuration, is potentially vulnerable if the deleted‑documents endpoint is exposed to an unauthenticated consumer.

Risk and Exploitability

The flaw can be exploited remotely by anyone able to reach the backend, as no authentication is required. The EPSS score of < 1% indicates a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Despite the low EPSS, the lack of authentication and authorization makes the risk universal to all exposed instances. The attacker must be able to issue an HTTP DELETE request to the endpoint. Successful exploitation will lead to data destruction and potential denial of service of the affected indices and storage objects.

Generated by OpenCVE AI on May 13, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or upgrade to a fixed nexent backend version once available
  • If a patch is not yet released, disable external access to the DELETE /{index_name}/documents endpoint and enforce authentication and authorization checks before processing deletion requests
  • Ensure MinIO permissions are restricted so that only authorized services can delete objects, and monitor object and index logs for anomalous delete operations

Generated by OpenCVE AI on May 13, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Nexent
Nexent nexent
CPEs cpe:2.3:a:nexent:nexent:1.7.5.2:*:*:*:*:*:*:*
Vendors & Products Nexent
Nexent nexent

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Modelengine-group
Modelengine-group nexent
Vendors & Products Modelengine-group
Modelengine-group nexent

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Arbitrary File Deletion via ElasticSearch in Nexent v1.7.5.2

Wed, 13 May 2026 16:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Arbitrary File Deletion in Nexent Backend via Unauthenticated ElasticSearch Endpoint
Weaknesses CWE-284
CWE-287

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Arbitrary File Deletion in Nexent Backend via Unauthenticated ElasticSearch Endpoint
Weaknesses CWE-284
CWE-287

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.
References

Subscriptions

Modelengine-group Nexent
Nexent Nexent
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T13:58:26.952Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31215

cve-icon Vulnrichment

Updated: 2026-05-13T13:58:22.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T16:16:13.380

Modified: 2026-05-26T16:36:05.773

Link: CVE-2026-31215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:32Z

Weaknesses