Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.
AnalysisAI
Remote unauthenticated attackers can delete arbitrary ElasticSearch documents and MinIO storage files in nexent v1.7.5.2 via the unprotected DELETE /{index_name}/documents endpoint. The backend service fails to authenticate requests or validate the path_or_url parameter, enabling mass data destruction and denial of service. EPSS probability (0.12%) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the CVSS 9.1 reflects the severe impact of unauthenticated remote data deletion.
Technical ContextAI
This vulnerability affects nexent's backend service integration with ElasticSearch and MinIO storage systems. The DELETE API endpoint processes user-supplied path_or_url parameters without authentication gates or input validation, corresponding to CWE-552 (Files or Directories Accessible to External Parties). The architecture appears to link ElasticSearch document deletion operations directly to MinIO file system operations, creating a cascading deletion effect. The vulnerable endpoint accepts index_name as a route parameter and likely uses the unvalidated path_or_url to construct file system paths, enabling path traversal attacks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation requiring no authentication, low complexity, and no user interaction. MinIO typically serves as object storage for document management systems, meaning exploitation could delete both metadata (ElasticSearch) and actual file content (MinIO) in a single request.
RemediationAI
Upgrade nexent to a patched version once released by ModelEngine-Group - no vendor advisory with fix version identified at time of analysis. Monitor the GitHub repository (https://github.com/ModelEngine-Group/nexent) and vendor notification channels for security updates. As immediate compensating controls: (1) Restrict network access to the DELETE /{index_name}/documents endpoint using firewall rules or reverse proxy authentication to allow only trusted internal services (trade-off: requires architectural changes to inter-service authentication). (2) Implement network segmentation to prevent public internet access to nexent backend services, allowing access only from application frontend tiers (trade-off: may require VPN for administrative access). (3) Deploy Web Application Firewall (WAF) rules to block DELETE requests containing path traversal patterns like '../' or absolute paths in the path_or_url parameter (trade-off: bypassable if parameter encoding is used, provides defense-in-depth only). (4) Enable ElasticSearch and MinIO audit logging to detect unauthorized deletion attempts (detection only, not prevention). (5) Implement regular backup snapshots of ElasticSearch indices and MinIO storage with tested restoration procedures (recovery control, does not prevent initial data loss). Do not expose nexent backend APIs directly to untrusted networks.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29499
GHSA-wm59-m58r-x983