CVE-2026-31216
CriticalSummary
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms.
Risk Assessment
Unauthenticated remote attackers can send crafted requests, leading to data loss and denial of service. This can severely impact the integrity and availability of the system.
Recommendation
It is recommended to implement authentication and authorization mechanisms for the DELETE /storage endpoint and to introduce input validation to prevent unauthorized access.
Original NVD description (English source)
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.

