Skip to main content

Nightingale (n9e) EUVDEUVD-2026-40374

| CVE-2026-58167 HIGH
Missing Authorization (CWE-862)
2026-06-30 VulnCheck GHSA-27c6-wp53-387x
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network API reachable with low complexity, but a valid low-privilege account is required so PR:L; impact is pure credential confidentiality (C:H) with no integrity or availability effect on Nightingale.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
Jun 30, 2026 - 17:41 vuln.today
Analysis Updated
Jun 30, 2026 - 17:41 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 17:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 17:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:21 vuln.today

DescriptionCVE.org

Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.

AnalysisAI

Credential disclosure in Nightingale (n9e) before 9.0.0-beta.2 lets any authenticated Standard-role (low-privilege) user retrieve full datasource configurations via POST /api/n9e/datasource/list, exposing plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys. Reported by VulnCheck and fixed in v9.0.0-beta.2, this missing-authorization flaw effectively turns a read-only monitoring account into a pivot point against every connected downstream system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Standard-role user
Delivery
POST /api/n9e/datasource/list
Exploit
Receive unredacted datasource secrets
Execution
Extract DB passwords and mTLS keys
Persist
Connect to downstream systems
Impact
Access/exfiltrate downstream data

Vulnerability AssessmentAI

Exploitation Requires an authenticated session as at least a Standard-role (low-privilege) user - no admin rights, no user interaction, and no special non-default configuration are needed, since the vulnerable POST /api/n9e/datasource/list route ships without an admin authorization gate on all versions before 9.0.0-beta.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) is internally consistent with the description: network-reachable, low complexity, requires low-privilege authentication, pure confidentiality impact with no integrity or availability effect on Nightingale itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege Standard-role user (a malicious insider, a compromised viewer account, or a tenant in a shared deployment) sends an authenticated POST to /api/n9e/datasource/list and receives the unredacted datasource configurations in the JSON response. They extract the plaintext database password and mTLS client key and use them to connect directly to the backend database and other monitored systems, pivoting beyond their intended monitoring scope. …
Remediation Vendor-released patch: 9.0.0-beta.2 - upgrade Nightingale to v9.0.0-beta.2 or later, which adds the missing admin authorization gate on the datasource list route (see https://github.com/ccfos/nightingale/releases/tag/v9.0.0-beta.2 and commit 762819fbaa2350b73bce45bfaf6f8cf74b4abef8). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Nightingale deployments and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy