Description
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The backend service used by nexent v1.7.5.2 exposes an HTTP DELETE endpoint that removes files from a MinIO storage system without requiring any form of authentication or authorization, and without validating the path supplied by the caller. By sending a crafted request to this endpoint, an unauthenticated remote attacker can delete any file that the storage service exposes, effectively causing data loss and potentially disabling application functionality due to missing files.

Affected Systems

The vulnerable component is the file management API of nexent version 1.7.5.2. No additional vendor or product information is listed, suggesting that this specific release is the only known affected environment at the time of reporting.

Risk and Exploitability

The attack vector is implied to be remote over the network, as the endpoint is publicly exposed and requires no credentials. Because the vulnerability is unauthenticated, any entity with network reach to the service can abuse it, making the exploitation likelihood high from the attacker's perspective. The Exploit Prediction Scoring System (EPSS) score is not provided, and the vulnerability is not listed in CISA’s KEV catalog, yet the lack of safeguards and the destructive nature of the flaw warrant treating it as a high‑severity exposure.

Generated by OpenCVE AI on May 12, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and deploy the vendor’s security patch that adds authentication, authorization, and input validation to the /storage/{object_name:path} endpoint
  • If an immediate patch is unavailable, restrict network access to the backend service so that only trusted internal systems can reach the DELETE endpoint
  • On the storage side, configure MinIO to enforce strict access policies so that even if the API processes a malicious request, file deletion is denied unless explicitly permitted

Generated by OpenCVE AI on May 12, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Deletion of Files via Unauthenticated DELETE Endpoint in Nexent v1.7.5.2
Weaknesses CWE-20
CWE-284

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T15:06:08.721Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31216

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T16:16:13.493

Modified: 2026-05-12T16:16:13.493

Link: CVE-2026-31216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:00:12Z

Weaknesses