CVE-2026-58167
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
A vulnerability in Nightingale (n9e) before version 9.0.0-beta.2 allows any authenticated low-privilege user (Standard role) to read full datasource configurations, including database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys. This occurs via the POST /api/n9e/datasource/list endpoint, which lacks admin authorization, and the DatasourceFilter does not redact secret fields.
Risk Assessment
Exposed credentials could allow an attacker to access connected downstream systems, leading to data breaches, data modification, or further attacks on the infrastructure.
Recommendation
Immediately upgrade Nightingale to version 9.0.0-beta.2 or later, which includes a fix for this vulnerability. Until the update, restrict access to the POST /api/n9e/datasource/list endpoint to administrators only.
Original NVD description (English source)
Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.

