MITRE service request: 1987825
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.
An exposed HTTP DELETE /{index_name}/documents handler accepts a caller-controlled path_or_url query parameter without authentication. The backend uses that value both to delete matching documents in Elasticsearch and to delete a MinIO object keyed by the same string, so a remote attacker can wipe arbitrary indexed content and backing objects.
DELETE /{index_name}/documents?path_or_url=... — no session or tenant check before invoking ElasticSearchService.delete_documents().path_or_url, then calls the generic file-delete helper with the same user string, which maps to a MinIO object key. Because keys are attacker-influenced and predictable paths are enumerable, the attacker can target high-value blobs (for example uploads paths).curl -X DELETE "http://<host>/<index>/documents?path_or_url=/uploads/a.pdf" — unauthenticated if the deployment exposes the API.Critical on internet-exposed deployments without an API gateway or mutual auth in front of the nexent API. Confidentiality may remain intact while integrity and availability collapse.
path_or_url against an allow-list, and separate ES document deletes from MinIO deletes with explicit authorization.