Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network API reachable with low complexity, but a valid low-privilege account is required so PR:L; impact is pure credential confidentiality (C:H) with no integrity or availability effect on Nightingale.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.
AnalysisAI
Credential disclosure in Nightingale (n9e) before 9.0.0-beta.2 lets any authenticated Standard-role (low-privilege) user retrieve full datasource configurations via POST /api/n9e/datasource/list, exposing plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys. Reported by VulnCheck and fixed in v9.0.0-beta.2, this missing-authorization flaw effectively turns a read-only monitoring account into a pivot point against every connected downstream system. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated session as at least a Standard-role (low-privilege) user - no admin rights, no user interaction, and no special non-default configuration are needed, since the vulnerable POST /api/n9e/datasource/list route ships without an admin authorization gate on all versions before 9.0.0-beta.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) is internally consistent with the description: network-reachable, low complexity, requires low-privilege authentication, pure confidentiality impact with no integrity or availability effect on Nightingale itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege Standard-role user (a malicious insider, a compromised viewer account, or a tenant in a shared deployment) sends an authenticated POST to /api/n9e/datasource/list and receives the unredacted datasource configurations in the JSON response. They extract the plaintext database password and mTLS client key and use them to connect directly to the backend database and other monitored systems, pivoting beyond their intended monitoring scope. … |
| Remediation | Vendor-released patch: 9.0.0-beta.2 - upgrade Nightingale to v9.0.0-beta.2 or later, which adds the missing admin authorization gate on the datasource list route (see https://github.com/ccfos/nightingale/releases/tag/v9.0.0-beta.2 and commit 762819fbaa2350b73bce45bfaf6f8cf74b4abef8). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Nightingale deployments and their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40374
GHSA-27c6-wp53-387x