CVE-2026-31216 ModelEngine-Group CVE debrief

Who should care

Organizations running Nexent v1.7.5.2 backend services, particularly those exposing storage management APIs to untrusted networks. Security teams responsible for API gateway protection, MinIO storage deployments, and data loss prevention programs.

Technical summary

The Nexent v1.7.5.2 backend service exposes a file management API endpoint DELETE /storage/{object_name:path} without authentication, authorization, or input validation. The object_name path parameter is user-controlled and passed directly to the underlying MinIO storage system. Unauthenticated remote attackers can craft requests with arbitrary path values to delete any file accessible to the service account. This represents a critical integrity and availability impact with no confidentiality impact per CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

Defensive priority

critical

Recommended defensive actions

• Immediately restrict network access to Nexent v1.7.5.2 backend service DELETE /storage/{object_name:path} endpoint at network perimeter
• Implement authentication and authorization controls on all storage management API endpoints prior to production deployment
• Apply input validation and path sanitization to object_name parameters to prevent directory traversal and arbitrary file deletion
• Review MinIO storage bucket policies and implement least-privilege access controls
• Monitor for unauthorized DELETE requests to storage endpoints in application and infrastructure logs
• Contact vendor or consult third-party advisory for patch availability and official mitigation guidance

Evidence notes

NVD analyzed status confirms vulnerability details. CWE-552 (Files or Directories Accessible to External Parties) assigned. Third-party advisory with mitigation guidance available via Notion reference.

Official resources