Skip to main content

nexent CVE-2026-31215

| EUVDEUVD-2026-29499 CRITICAL
Files or Directories Accessible to External Parties (CWE-552)
2026-05-12 mitre GHSA-wm59-m58r-x983
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:54 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
9.1 (CRITICAL)
CVE Published
May 12, 2026 - 00:00 nvd
CRITICAL 9.1
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.

AnalysisAI

Remote unauthenticated attackers can delete arbitrary ElasticSearch documents and MinIO storage files in nexent v1.7.5.2 via the unprotected DELETE /{index_name}/documents endpoint. The backend service fails to authenticate requests or validate the path_or_url parameter, enabling mass data destruction and denial of service. EPSS probability (0.12%) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the CVSS 9.1 reflects the severe impact of unauthenticated remote data deletion.

Technical ContextAI

This vulnerability affects nexent's backend service integration with ElasticSearch and MinIO storage systems. The DELETE API endpoint processes user-supplied path_or_url parameters without authentication gates or input validation, corresponding to CWE-552 (Files or Directories Accessible to External Parties). The architecture appears to link ElasticSearch document deletion operations directly to MinIO file system operations, creating a cascading deletion effect. The vulnerable endpoint accepts index_name as a route parameter and likely uses the unvalidated path_or_url to construct file system paths, enabling path traversal attacks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation requiring no authentication, low complexity, and no user interaction. MinIO typically serves as object storage for document management systems, meaning exploitation could delete both metadata (ElasticSearch) and actual file content (MinIO) in a single request.

RemediationAI

Upgrade nexent to a patched version once released by ModelEngine-Group - no vendor advisory with fix version identified at time of analysis. Monitor the GitHub repository (https://github.com/ModelEngine-Group/nexent) and vendor notification channels for security updates. As immediate compensating controls: (1) Restrict network access to the DELETE /{index_name}/documents endpoint using firewall rules or reverse proxy authentication to allow only trusted internal services (trade-off: requires architectural changes to inter-service authentication). (2) Implement network segmentation to prevent public internet access to nexent backend services, allowing access only from application frontend tiers (trade-off: may require VPN for administrative access). (3) Deploy Web Application Firewall (WAF) rules to block DELETE requests containing path traversal patterns like '../' or absolute paths in the path_or_url parameter (trade-off: bypassable if parameter encoding is used, provides defense-in-depth only). (4) Enable ElasticSearch and MinIO audit logging to detect unauthorized deletion attempts (detection only, not prevention). (5) Implement regular backup snapshots of ElasticSearch indices and MinIO storage with tested restoration procedures (recovery control, does not prevent initial data loss). Do not expose nexent backend APIs directly to untrusted networks.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-31215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy