Nexent Unauthorized Arbitrary File Deletion Vulnerability in ElasticSearch Service Interface

Vulnerability

A vulnerability allowing unauthorized arbitrary file deletion has been identified in the Nexent backend service version 1.7.5.2. This issue arises within the ElasticSearch service interface, specifically at the DELETE /{index_name}/documents endpoint, which lacks proper authentication and authorization controls. The endpoint also fails to validate the user-supplied path_or_url parameter, enabling unauthenticated remote attackers to send crafted requests that delete arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Exploitation of this vulnerability leads to data destruction and a denial-of-service condition.

Impact

Successful exploitation allows for the unauthorized deletion of documents from ElasticSearch indices and the corresponding files from the MinIO storage system, causing data loss and a denial-of-service condition.

Added: May 12, 2026, 4:31 PM

Updated: May 12, 2026, 4:31 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nexent Unauthorized Arbitrary File Deletion Vulnerability in ElasticSearch Service Interface

Vulnerability

Impact

Affected Products

ModelEngine-Group nexent

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating