Skip to main content

Nightingale

1 CVEs product

Monthly

CVE-2026-58167 HIGH PATCH This Week

Credential disclosure in Nightingale (n9e) before 9.0.0-beta.2 lets any authenticated Standard-role (low-privilege) user retrieve full datasource configurations via POST /api/n9e/datasource/list, exposing plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys. Reported by VulnCheck and fixed in v9.0.0-beta.2, this missing-authorization flaw effectively turns a read-only monitoring account into a pivot point against every connected downstream system. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Nightingale
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential disclosure in Nightingale (n9e) before 9.0.0-beta.2 lets any authenticated Standard-role (low-privilege) user retrieve full datasource configurations via POST /api/n9e/datasource/list, exposing plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys. Reported by VulnCheck and fixed in v9.0.0-beta.2, this missing-authorization flaw effectively turns a read-only monitoring account into a pivot point against every connected downstream system. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Nightingale
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy