Description
A flaw was found in the community.general Ansible collection's nexmo module.
The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding
API credentials (api_key and api_secret) into URL query parameters and
sending them via GET requests. This causes credentials to be exposed in web
server access logs, proxy logs, HTTP Referer headers, and network monitoring
tools, despite the Ansible argument specification marking these parameters
as no_log. An attacker with access to any of these logging or monitoring
points can obtain the full API credentials and gain unauthorized access to
the victim's Vonage/Nexmo account.
Published: 2026-06-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The community.general Ansible collection’s nexmo module constructs HTTP GET requests that embed the Vonage API key and secret into the query string. Although the module’s argument specification marks these parameters as no_log, the credentials are still transmitted in the URL and therefore appear in web server access logs, proxy logs, HTTP Referer headers, and network monitoring tools. This flaw is categorized as CWE‑532, resulting in the compromise of confidential credentials. Once obtained, an attacker can use the Vonage account to send arbitrary SMS messages or otherwise abuse the service, with no impact on the local system itself.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux 8, 9, and 10 systems that run Ansible with the community.general collection and utilize the nexmo module. The affected product is the Ansible community.general collection, specifically the nexmo.py module used in Ansible playbooks and Automation Controller or AWX environments on those operating systems.

Risk and Exploitability

The CVSS score of 6.5 classifies the weakness as medium severity. Because the EPSS score is reported as less than 1 % and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation is low, though not impossible. An attacker only needs the ability to observe network traffic, capture verbose output, or read access logs to retrieve the exposed credentials. The attack is passive and requires no additional privilege on the target system.

Generated by OpenCVE AI on June 26, 2026 at 01:25 UTC.

Remediation

Vendor Workaround

The following practices would help for avoiding exposure and mitigate this flaw: - If possible, stop using the community.general nexmo module entirely. It is deprecated upstream and was removed in community.general 9.0.0. Consider using the Vonage API directly via the community.general uri module with POST method and credentials in the request body. - Review web server, proxy, and load balancer access logs for any recorded Vonage API URLs containing api_key and api_secret parameters. Rotate any credentials found in logs. - Restrict access to HTTP access logs on systems where the nexmo module has been used. - Configure proxy and web server logging to redact or exclude query string parameters from URL logging where possible.


OpenCVE Recommended Actions

  • Upgrade the community.general Ansible collection to a version that removes the GET query vulnerability, or switch to using the Vonage API directly via the community.general uri module with a POST request and credentials in the request body.
  • If a collection upgrade is not feasible, apply a local patch to the nexmo.py module or replace it with a custom script that sends credentials in the request body instead of the query string.
  • Examine web server, proxy, and load balancer access logs for any Vonage URLs containing api_key and api_secret parameters; rotate any credentials that are found.
  • Restrict access to HTTP access logs on systems where the nexmo module has been used and configure proxy and web server logging to redact or exclude query string parameters from URL logging where possible.

Generated by OpenCVE AI on June 26, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Module: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. Vulnerable Code (lines 82-93): msg = { "api_key": module.params.get("api_key"), "api_secret": module.params.get("api_secret"), "from": module.params.get("src"), "text": module.params.get("msg"), } url = f"{NEXMO_API}?{urlencode(msg)}" response, info = fetch_url(module, url, headers=headers) Observed Output: https://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello Exposure Vectors: Ansible verbose output (-vvv) logs the full request URL Vonage/Nexmo server access logs record credentials in query string HTTP proxies, SIEM, and network inspection tools capture the full URL AWX/Automation Controller network debug logs Fix: Switch to POST with credentials in the request body: data = urlencode({"api_key": api_key, "api_secret": api_secret, "from": src, "to": number, "text": msg}) fetch_url(module, NEXMO_API, data=data, method="POST", headers={"Content-Type": "application/x-www-form-urlencoded"}) A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials (api_key and api_secret) into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web server access logs, proxy logs, HTTP Referer headers, and network monitoring tools, despite the Ansible argument specification marking these parameters as no_log. An attacker with access to any of these logging or monitoring points can obtain the full API credentials and gain unauthorized access to the victim's Vonage/Nexmo account.

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat community.general
Vendors & Products Redhat community.general

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Module: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. Vulnerable Code (lines 82-93): msg = { "api_key": module.params.get("api_key"), "api_secret": module.params.get("api_secret"), "from": module.params.get("src"), "text": module.params.get("msg"), } url = f"{NEXMO_API}?{urlencode(msg)}" response, info = fetch_url(module, url, headers=headers) Observed Output: https://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello Exposure Vectors: Ansible verbose output (-vvv) logs the full request URL Vonage/Nexmo server access logs record credentials in query string HTTP proxies, SIEM, and network inspection tools capture the full URL AWX/Automation Controller network debug logs Fix: Switch to POST with credentials in the request body: data = urlencode({"api_key": api_key, "api_secret": api_secret, "from": src, "to": number, "text": msg}) fetch_url(module, NEXMO_API, data=data, method="POST", headers={"Content-Type": "application/x-www-form-urlencoded"})
Title Community.general: community.general nexmo — api credentials exposed in get url query string[security] community.general nexmo — api credentials exposed in get url query string
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-532
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Redhat Community.general Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-25T23:23:47.329Z

Reserved: 2026-06-09T17:27:33.388Z

Link: CVE-2026-11820

cve-icon Vulnrichment

Updated: 2026-06-24T12:39:42.927Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T01:00:00Z

Links: CVE-2026-11820 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:30:17Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File