Description
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The backend service used by nexent v1.7.5.2 exposes an HTTP DELETE endpoint that removes files from a MinIO storage system without requiring any form of authentication or authorization, and without validating the path supplied by the caller. By sending a crafted request to this endpoint, an unauthenticated remote attacker can delete any file that the storage service exposes, effectively causing data loss and potentially disabling application functionality due to missing files.

Affected Systems

The vulnerable component is the file management API of nexent version 1.7.5.2. No additional vendor or product information is listed, suggesting that this specific release is the only known affected environment at the time of reporting.

Risk and Exploitability

The attack vector is implied to be remote over the network, as the endpoint is publicly exposed and requires no credentials. Because the vulnerability is unauthenticated, any entity with network reach to the service can abuse it, making the exploitation likelihood high from the attacker's perspective. The CVSS score of 9.1 indicates severe impact, and the EPSS score shown as < 1% suggests a low overall probability of exploitation. Although the flaw is not recorded in CISA’s KEV catalog, the lack of safeguards combined with the destructive nature of the vulnerability warrants treating it as a high‑severity exposure.

Generated by OpenCVE AI on May 13, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and deploy the vendor’s security patch that adds authentication, authorization, and input validation to the /storage/{object_name:path} endpoint
  • If an immediate patch is unavailable, restrict network access to the backend service so that only trusted internal systems can reach the DELETE endpoint
  • On the storage side, configure MinIO to enforce strict access policies so that even if the API processes a malicious request, file deletion is denied unless explicitly permitted

Generated by OpenCVE AI on May 13, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Nexent
Nexent nexent
CPEs cpe:2.3:a:nexent:nexent:1.7.5.2:*:*:*:*:*:*:*
Vendors & Products Nexent
Nexent nexent

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Modelengine-group
Modelengine-group nexent
Vendors & Products Modelengine-group
Modelengine-group nexent

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Deletion of Files via Backend REST API

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Deletion of Files via Unauthenticated DELETE Endpoint in Nexent v1.7.5.2
Weaknesses CWE-20
CWE-284

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Deletion of Files via Unauthenticated DELETE Endpoint in Nexent v1.7.5.2
Weaknesses CWE-20
CWE-284

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.
References

Subscriptions

Modelengine-group Nexent
Nexent Nexent
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T14:00:22.584Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31216

cve-icon Vulnrichment

Updated: 2026-05-13T14:00:18.152Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T16:16:13.493

Modified: 2026-05-26T16:32:35.983

Link: CVE-2026-31216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:31Z

Weaknesses