CVE Catalog

CVE-2026-58167

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

A vulnerability in Nightingale (n9e) before version 9.0.0-beta.2 allows any authenticated low-privilege user (Standard role) to read full datasource configurations, including database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys. This occurs via the POST /api/n9e/datasource/list endpoint, which lacks admin authorization, and the DatasourceFilter does not redact secret fields.

Risk Assessment

Exposed credentials could allow an attacker to access connected downstream systems, leading to data breaches, data modification, or further attacks on the infrastructure.

Recommendation

Immediately upgrade Nightingale to version 9.0.0-beta.2 or later, which includes a fix for this vulnerability. Until the update, restrict access to the POST /api/n9e/datasource/list endpoint to administrators only.

Original NVD description (English source)

Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS