CVE-2026-31216

Name of the Vulnerable Software and Affected Versions nexent version 1.7.5.2

Description The backend service contains an issue in its file management API where the 'DELETE /storage/{object name:path}' endpoint lacks authentication, authorization, and input validation. Unauthenticated remote attackers can use a crafted object name path parameter to delete arbitrary files from the underlying MinIO storage system, which is a high-performance object storage server. This can result in data loss and denial of service.

Recommendations For version 1.7.5.2, restrict access to the 'DELETE /storage/{object name:path}' endpoint or avoid using the object name parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.