Description
Module: plugins/modules/keyring_info.py

CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning.

Root Cause:

Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True)
Line 127 (NOT protected): result["passphrase"] = passphrase

Observed Output:

{
"changed": false,
"passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret"
}
Visible via register + debug:
{
"keyring_result": {
"changed": false,
"passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret"
}
}

Impact:

Master passwords, SSH key passphrases and service credentials appear in all Ansible output

register: keyring_result followed by debug: var=keyring_result prints passphrase in full

Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase

AWX/Tower job logs silently store the live credential

Fix:

module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True)

Also add a documentation warning requiring callers to use no_log: true at the task level.

PoCs


Fig 1: PoC execution showing passphrase in plaintext output


Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127)
Published: 2026-06-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The community.general keyring_info module extracts a passphrase from the operating system's native keyring and writes it directly into the result dictionary without applying no_log protection. When the module's output is logged, registered, or printed by Ansible, the clear‑text passphrase becomes visible to anyone with access to the playbook output, job logs, or fact caching backends. This leaks master passwords, SSH key passphrases, or other service credentials, compromising data confidentiality.

Affected Systems

Red Hat Enterprise Linux 8, 9, and 10 when the community.general keyring_info module is invoked. The vulnerability is present in any environment that uses the module to read credentials from GNOME Keyring, macOS Keychain, or Windows Credential Manager.

Risk and Exploitability

The CVSS v3.1 score of 5.5 indicates a medium severity vulnerability with an AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N profile. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The likely attack vector is local access to the Ansible control node or any node on which the module runs; the attacker must be able to execute the keyring_info task and capture its output. Because the credentials are simply printed, exploitation is straightforward once the required access is available, and the compromised secrets can persist in AWX/Tower logs or fact caching backends.

Generated by OpenCVE AI on June 24, 2026 at 10:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the community.general collection to a version that includes the fixed keyring_info implementation; this patch adds _ansible_no_log to the module exit and a documentation warning.
  • When invoking keyring_info in playbooks, set no_log: true on the task to suppress the passphrase from any Ansible output.
  • Review AWX/Tower and fact‑caching configuration to ensure that job logs and cache stores are properly secured or cleared after use, preventing long‑term persistence of the leaked passphrase.

Generated by OpenCVE AI on June 24, 2026 at 10:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning. Root Cause: Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True) Line 127 (NOT protected): result["passphrase"] = passphrase Observed Output: { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } Visible via register + debug: { "keyring_result": { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } } Impact: Master passwords, SSH key passphrases and service credentials appear in all Ansible output register: keyring_result followed by debug: var=keyring_result prints passphrase in full Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase AWX/Tower job logs silently store the live credential Fix: module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) Also add a documentation warning requiring callers to use no_log: true at the task level. PoCs Fig 1: PoC execution showing passphrase in plaintext output Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127)
Title Community.general: community.general keyring_info — os keyring passphrase returned in plaintext
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-532
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-23T19:53:17.188Z

Reserved: 2026-06-09T17:27:25.326Z

Link: CVE-2026-11819

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File