Data Exposure Vulnerability in Nightingale by CCFOS
CVE-2026-58167

7.1HIGH

Key Information:

Vendor: Ccfos
Status: Nightingale
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-58167?

Nightingale versions before 9.0.0-beta.2 have a vulnerability that allows low-privilege users to access sensitive datasource configurations. This exposure includes plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys through the insecure endpoint POST /api/n9e/datasource/list. The lack of an admin authorization gate on this route, combined with the failure to redact secret fields in the response, leaves critical credentials exposed and may enable unauthorized access to downstream systems.

Affected Version(s)

nightingale 0 < 9.0.0-beta.2

References

https://github.com/ccfos/nightingale/releases/tag/v9.0.0-...

release-notes

https://github.com/ccfos/nightingale/issues/3173

technical-description

https://github.com/ccfos/nightingale/pull/3175

issue-tracking

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 29, 2026

Credit

George Chen

CVE-2026-58167 Data

JSON

Ccfos

What is CVE-2026-58167?

Affected Version(s)

References

CVSS V4

Timeline

Credit