CVE Catalog

CVE-2026-31216

Critical
Published: Translated: NVD NIST

Summary

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms.

Risk Assessment

Unauthenticated remote attackers can send crafted requests, leading to data loss and denial of service. This can severely impact the integrity and availability of the system.

Recommendation

It is recommended to implement authentication and authorization mechanisms for the DELETE /storage endpoint and to introduce input validation to prevent unauthorized access.

Original NVD description (English source)

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS