A critical unauthenticated arbitrary file deletion vulnerability exists in Nexent backend service version 1.7.5.2. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation, allowing remote attackers to delete arbitrary files from the underlying MinIO storage system without credentials. Published 2026-05-12, modified 2026-05-26. CVSS 3.1 score 9.1 (Critical) [truncated]
CVE-2026-31215 is a critical vulnerability in Nexent v1.7.5.2 affecting the backend ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks authentication, authorization, and path validation on the user-supplied path_or_url parameter. Unauthenticated remote attackers can exploit this to delete arbitrary documents from ElasticSearch indices and corresponding files from MinIO stor [truncated]
