Nightingale < 9.0.0-beta.2 - Datasource Credential Disclosure to Low-Privilege Users | Advisories

Advisories

Nightingale < 9.0.0-beta.2 - Datasource Credential Disclosure to Low-Privilege Users

severity: high
date: 6/30/2026
Affecting: Nightingale < 9.0.0-beta.2
CVE: CVE-2026-58167
CWE: CWE-862 Missing Authorization
CVSS: 7.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Release Notes
GitHub Issue
Fix PR
Fix Commit
Credit: George Chen
Description: Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo