MITRE service request: 1987825
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.
The storage microservice exposes DELETE /storage/{object_name:path} where object_name may include slashes, effectively letting anonymous callers delete arbitrary object keys in the configured bucket. The call chain (remove_storage_file → delete_file_impl → attachment_db.delete_file → MinIO delete_object) never verifies caller identity or object ownership.
DELETE /storage/<object_key>; attacker supplies a fully qualified object key such as uploads/private/secret.pdf.delete_object against MinIO.Critical for deployments exposing the API to untrusted networks. Primary impact is integrity and availability (mass data deletion).