CVE-2026-11820 - Vulnerability Details

- Community.general: community.general nexmo — api credentials exposed in get url query string[security] community.general nexmo — api credentials exposed in get url query string

Description

Module: plugins/modules/nexmo.py

CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection.

Vulnerable Code (lines 82-93):

msg = {
"api_key": module.params.get("api_key"),
"api_secret": module.params.get("api_secret"),
"from": module.params.get("src"),
"text": module.params.get("msg"),
}
url = f"{NEXMO_API}?{urlencode(msg)}"
response, info = fetch_url(module, url, headers=headers)

Observed Output:

https://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello

Exposure Vectors:

Ansible verbose output (-vvv) logs the full request URL

Vonage/Nexmo server access logs record credentials in query string

HTTP proxies, SIEM, and network inspection tools capture the full URL

AWX/Automation Controller network debug logs

Fix: Switch to POST with credentials in the request body:

data = urlencode({"api_key": api_key, "api_secret": api_secret,
"from": src, "to": number, "text": msg})
fetch_url(module, NEXMO_API, data=data, method="POST",
headers={"Content-Type": "application/x-www-form-urlencoded"})

Published: 2026-06-23

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The community.general Ansible module for Nexmo exposes API keys and secrets because the credentials, though declared as no_log, are inserted into a GET request URL. This causes the credentials to be visible in the query string, bypassing the intended logging suppression. The vulnerability is classified as CWE‑532 (Exposed Credentials) and carries a CVSS 3.1 score of 6.5, indicating a medium severity risk of confidentiality compromise. If discovered, attackers could obtain the API key and secret, allowing them to send unauthorized SMS messages or abuse the Nexmo service.

Affected Systems

The flaw appears in Red Hat Enterprise Linux 8, 9 and 10 installations that use the community.general collection. The affected product is the Ansible community.general collection, specifically the nexmo.py module, which is part of the Automation Controller or AWX deployments on these operating systems.

Risk and Exploitability

With no user interaction required beyond normal Ansible playbook execution, an attacker who can observe the network traffic, capture Ansible verbose output, or read Automation Controller logs can retrieve the exposed credentials. Since the issue leverages standard HTTPS endpoints, passive network monitoring or proxy logs may reveal the credentials. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the medium CVSS and the clear path to credential disclosure make it a significant risk for confidentiality of the Nexmo integration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Enterprise Linux 10	unknown	—
Red Hat	Red Hat Enterprise Linux 8	unknown	—
Red Hat	Red Hat Enterprise Linux 8	unknown	—
Red Hat	Red Hat Enterprise Linux 9	unknown	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the community.general Ansible collection to the latest released version that implements the fix, switching the Nexmo request method to POST and sending credentials in the request body.
If an upgrade is not possible, manually patch the local nexmo.py module to use POST with the credentials in the body that is not logged, mirroring the proposed fix.
As a complementary temporary measure, disable Ansible verbose output and ensure that any automation platform logs are configured to mask or strip API credentials from recorded payloads.

Generated by OpenCVE AI on June 23, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-11820
https://bugzilla.redhat.com/show_bug.cgi?id=2488970
https://nvd.nist.gov/vuln/detail/CVE-2026-11820
https://www.cve.org/CVERecord?id=CVE-2026-11820

History

Wed, 24 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-11820 https://www.cve.org/CVERecord?id=CVE-2026-11820
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 23 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Module: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. Vulnerable Code (lines 82-93): msg = { "api_key": module.params.get("api_key"), "api_secret": module.params.get("api_secret"), "from": module.params.get("src"), "text": module.params.get("msg"), } url = f"{NEXMO_API}?{urlencode(msg)}" response, info = fetch_url(module, url, headers=headers) Observed Output: https://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello Exposure Vectors: Ansible verbose output (-vvv) logs the full request URL Vonage/Nexmo server access logs record credentials in query string HTTP proxies, SIEM, and network inspection tools capture the full URL AWX/Automation Controller network debug logs Fix: Switch to POST with credentials in the request body: data = urlencode({"api_key": api_key, "api_secret": api_secret, "from": src, "to": number, "text": msg}) fetch_url(module, NEXMO_API, data=data, method="POST", headers={"Content-Type": "application/x-www-form-urlencoded"})
Title		Community.general: community.general nexmo — api credentials exposed in get url query string[security] community.general nexmo — api credentials exposed in get url query string
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-532
CPEs		cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2026-11820 https://bugzilla.redhat.com/show_bug.cgi?id=2488970
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-23T19:53:19.664Z

Updated: 2026-06-23T19:53:19.664Z

Reserved: 2026-06-09T17:27:33.388Z

Link: CVE-2026-11820

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-15T01:00:00Z

Links: CVE-2026-11820 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-24T00:00:09Z

Weaknesses

CWE-532
Insertion of Sensitive Information into Log File

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object