CVE-2026-31215

Name of the Vulnerable Software and Affected Versions nexent version 1.7.5.2

Description The backend service contains an unauthorized arbitrary file deletion issue within its ElasticSearch service interface. The 'DELETE /{index name}/documents' endpoint lacks proper authentication and authorization controls and fails to validate the path or url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and associated files from the MinIO storage system, resulting in data destruction and denial of service.

Recommendations For version 1.7.5.2, restrict access to the 'DELETE /{index name}/documents' endpoint or avoid using the path or url parameter until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.