CVE-2026-58167

Source
https://cve.org/CVERecord?id=CVE-2026-58167
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58167.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58167
Published
2026-06-30T15:51:55.505Z
Modified
2026-07-08T08:15:58.161264348Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Nightingale < 9.0.0-beta.2 - Datasource Credential Disclosure to Low-Privilege Users
Details

Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58167.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/ccfos/nightingale

Affected ranges

Type
GIT
Repo
https://github.com/ccfos/nightingale
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.0.0-beta.2"
        }
    ]
}

Affected versions

V1.*
V1.3.1
V1.3.2
V1.4.1
V2.*
V2.1.0
V2.2.1
v1.*
v1.0.0
v1.0.2
v1.0.3
v1.1.0
v1.2.0
v1.2.2
v1.2.3
v1.2.4
v1.3.0
v1.3.3
v1.4.0
v2.*
v2.0.0
v2.2.0
v2.2.2
v2.4.2
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v3.*
v3.1.4
v3.1.6
v3.3.0
v3.3.1
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.7.0
v3.7.1
v3.8.0
v4.*
v4.0.0
v4.0.2
v4.0.3
v5.*
v5.0.0-ga-02
v5.0.0-ga-04
v5.0.0-ga-05
v5.0.0-ga-06
v5.0.0-rc7
v5.1.0
v5.10.0
v5.10.1
v5.10.2
v5.10.3
v5.11.0
v5.11.1
v5.11.2
v5.11.3
v5.12.0
v5.12.1
v5.13.0
v5.13.1
v5.14.0
v5.14.1
v5.14.2
v5.14.3
v5.14.4
v5.14.5
v5.15.0
v5.2.0
v5.2.2
v5.2.3
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4.0
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.7.0
v5.8.0
v5.9.2
v5.9.3
v5.9.4
v5.9.5
v5.9.6
v5.9.7
v6.*
v6.0.0
v6.0.0-beta.0
v6.0.0-beta.1
v6.0.0-beta.2
v6.0.0-beta.3
v6.0.0-beta.4
v6.0.0-beta.5
v6.0.0-ga.1
v6.0.0-ga.10
v6.0.0-ga.11
v6.0.0-ga.12
v6.0.0-ga.13
v6.0.0-ga.14
v6.0.0-ga.14-pre
v6.0.0-ga.2
v6.0.0-ga.3
v6.0.0-ga.4
v6.0.0-ga.4.0.1
v6.0.0-ga.4.1
v6.0.0-ga.5
v6.0.0-ga.6
v6.0.0-ga.7
v6.0.0-ga.7.0.1
v6.0.0-ga.7.0.2
v6.0.0-ga.8
v6.0.0-ga.9
v6.0.2
v6.0.3
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.4.0
v6.5.0
v6.6.0
v6.6.1
v6.7.0
v6.7.1
v6.7.2
v7.*
v7.0.0
v7.0.0-beta.0
v7.0.0-beta.10
v7.0.0-beta.12
v7.0.0-beta.12.1
v7.0.0-beta.13
v7.0.0-beta.14
v7.0.0-beta.14.1
v7.0.0-beta.14.2
v7.0.0-beta.14.3
v7.0.0-beta.2
v7.0.0-beta.2.0.1
v7.0.0-beta.3
v7.0.0-beta.5
v7.0.0-beta.7
v7.0.0-beta.8
v7.0.0-beta.9
v7.1.0
v7.2.0
v7.2.1
v7.3.0
v7.3.1
v7.3.2
v7.3.3
v7.4.0
v7.4.1
v7.5.0
v7.6.0
v7.7.1
v8.*
v8.0.0
v8.0.0-beta.1
v8.0.0-beta.10
v8.0.0-beta.11
v8.0.0-beta.12
v8.0.0-beta.13
v8.0.0-beta.14
v8.0.0-beta.2
v8.0.0-beta.3
v8.0.0-beta.4
v8.0.0-beta.5
v8.0.0-beta.6
v8.0.0-beta.7
v8.0.0-beta.8
v8.0.0-beta.8.1
v8.0.0-beta.8.2
v8.0.0-beta.9
v8.1.0
v8.2.0
v8.2.1
v8.2.2
v8.3.0
v8.3.1
v8.5.0
v8.5.1
v9.*
v9.0.0-beta.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58167.json"