The vulnerability is an unauthorized arbitrary file deletion flaw in the nexent backend. The DELETE /{index_name}/documents endpoint in the ElasticSearch interface does not enforce authentication or authorization and accepts a user‑supplied path_or_url parameter without validation. An attacker who can send HTTP requests to the service can therefore delete any document from any ElasticSearch index and the corresponding file from the MinIO storage system. This results in permanent data loss and can disrupt system functionality, effectively denying legitimate use of the application. The weakness arises from improper access control, consistent with the listed CVEs.

The affected product is the nexent backend service version 1.7.5.2. It relies on an ElasticSearch instance and MinIO object storage. Any deployment of this version, regardless of additional environment configuration, is potentially vulnerable if the deleted‑documents endpoint is exposed to an unauthenticated consumer.

The flaw can be exploited remotely by anyone able to reach the backend, as no authentication is required. Because the EPSS score is not available and the vulnerability is not in the CISA KEV catalog, precise likelihood metrics are unknown, but the lack of any protection makes the risk effectively universal. The attacker must be able to issue an HTTP DELETE request to the endpoint, and the vulnerability is not mitigated by network segmentation on its own. Successful exploitation will lead to data destruction and potential denial of service of the affected indices and storage objects.