PatchSiren cyber security CVE debrief
CVE-2026-31215 ModelEngine-Group CVE debrief
CVE-2026-31215 is a critical vulnerability in Nexent v1.7.5.2 affecting the backend ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks authentication, authorization, and path validation on the user-supplied path_or_url parameter. Unauthenticated remote attackers can exploit this to delete arbitrary documents from ElasticSearch indices and corresponding files from MinIO storage, resulting in data destruction and denial of service. The vulnerability was published on 2026-05-12 and last modified on 2026-05-26. No known exploitation in ransomware campaigns has been reported.
- Vendor
- ModelEngine-Group
- Product
- Nexent
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-26
Who should care
Organizations running Nexent v1.7.5.2 backend services with exposed ElasticSearch interfaces; security teams responsible for data protection and availability; DevOps engineers managing MinIO storage integrations; incident response teams monitoring for data destruction attacks
Technical summary
The Nexent v1.7.5.2 backend exposes a DELETE /{index_name}/documents endpoint on its ElasticSearch service interface without requiring authentication or authorization. The endpoint accepts a user-supplied path_or_url parameter without validation, allowing attackers to specify arbitrary file paths. Successful exploitation triggers deletion of documents from ElasticSearch indices and corresponding files from the MinIO storage backend. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H reflects network attack vector, low complexity, no privileges required, no user interaction, and high impact to integrity and availability.
Defensive priority
critical
Recommended defensive actions
- Immediately restrict network access to the Nexent v1.7.5.2 backend ElasticSearch service interface to trusted administrative hosts only
- Implement authentication and authorization controls on the DELETE /{index_name}/documents endpoint before any production deployment
- Validate and sanitize the path_or_url parameter to prevent path traversal and unauthorized file deletion
- Review MinIO storage access controls to ensure least-privilege access and prevent unauthorized file operations
- Monitor for anomalous DELETE requests to ElasticSearch indices and MinIO storage that may indicate exploitation attempts
- Apply vendor patches or updates when available; refer to third-party advisory for interim mitigation guidance
Evidence notes
Vulnerability description and CVSS 9.1 CRITICAL rating sourced from NVD. CPE criteria confirms affected version 1.7.5.2. CWE-552 (Files or Directories Accessible to External Parties) identified as secondary weakness. Third-party advisory reference available via Notion.
Official resources
-
CVE-2026-31215 CVE record
CVE.org
-
CVE-2026-31215 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2026-05-12T16:16:13.380Z