CVE-2026-58167
Received Received - Intake

Nightingale n9e Credential Exposure via Datasource List

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58167
EUVD
EUVD-2026-40374

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nightingale n9e to 9.0.0-beta.2 (exc)
ccfos nightingale to 9.0.0-beta.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58167 is a security vulnerability in Nightingale (n9e) versions before 9.0.0-beta.2 where low-privilege authenticated users (with the Standard role) can access sensitive datasource credentials. This happens because the POST /api/n9e/datasource/list endpoint does not enforce admin-level authorization checks, unlike other datasource routes.

As a result, these users can retrieve full datasource configurations including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys. The open-source DatasourceFilter component fails to redact these secret fields, exposing them in the API response.

This exposure allows unauthorized users to gain access to connected downstream systems by using the disclosed credentials.

Impact Analysis

This vulnerability can have serious security impacts because it allows low-privilege users to obtain sensitive credentials that should be restricted to administrators.

  • Unauthorized access to databases such as MySQL, PostgreSQL, and ClickHouse using exposed plaintext passwords.
  • Compromise of HTTP authentication mechanisms through exposed bearer tokens and basic-auth passwords.
  • Exposure of mTLS client keys and key passwords, potentially allowing man-in-the-middle attacks or unauthorized encrypted communications.

Overall, attackers or malicious insiders with standard user access can escalate their privileges or move laterally within the network by leveraging these leaked credentials.

Detection Guidance

This vulnerability can be detected by attempting to access the POST /api/n9e/datasource/list endpoint with an authenticated low-privilege (Standard role) user account. If the response includes full datasource configurations with plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, or mTLS client keys, the system is vulnerable.

A practical detection method is to use a command-line HTTP client such as curl to simulate a low-privilege user request to the vulnerable endpoint and inspect the response for sensitive credential exposure.

  • curl -X POST -H "Authorization: Bearer <standard_user_token>" https://<nightingale_server>/api/n9e/datasource/list

If the response contains sensitive fields like plaintext passwords or tokens, the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade Nightingale to version 9.0.0-beta.2 or later, where this vulnerability has been fixed.

The fix involves adding proper admin authorization checks on the /api/n9e/datasource/list endpoint and redacting sensitive datasource secrets for non-admin users using a new RedactSecrets() method.

Until the upgrade can be performed, restrict access to the vulnerable endpoint to only trusted admin users and monitor for any unauthorized access attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58167. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart