CVE-2026-11820
MEDIUMAnsible community.general nexmo - API Credentials Exposed in GET URL
Title source: manualDescription
A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials (api_key and api_secret) into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web server access logs, proxy logs, HTTP Referer headers, and network monitoring tools, despite the Ansible argument specification marking these parameters as no_log. An attacker with access to any of these logging or monitoring points can obtain the full API credentials and gain unauthorized access to the victim's Vonage/Nexmo account.
References (2)
Core 2
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-11820
Issue Tracking, X_Refsource_Redhat issue-tracking
x_refsource_redhat
RHBZ#2488970
https://bugzilla.redhat.com/show_bug.cgi?id=2488970
Scores
CVSS v3
6.5
EPSS
0.0029
EPSS Percentile
20.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (6)
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 9
redhat/enterprise_linux
8.0
redhat/enterprise_linux
9.0
redhat/enterprise_linux
10.0
Published
Jun 23, 2026
Tracked Since
Jun 24, 2026