CVE-2026-11819
Received Received - Intake
Information Disclosure in Ansible keyring_info Module

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Red Hat, Inc.

Description
Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM β€” AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning. Root Cause: Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True) Line 127 (NOT protected): result["passphrase"] = passphrase Observed Output: { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } Visible via register + debug: { "keyring_result": { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } } Impact: Master passwords, SSH key passphrases and service credentials appear in all Ansible output register: keyring_result followed by debug: var=keyring_result prints passphrase in full Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase AWX/Tower job logs silently store the live credential Fix: module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) Also add a documentation warning requiring callers to use no_log: true at the task level. PoCs Fig 1: PoC execution showing passphrase in plaintext output Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-11819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ansible ansible *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Ansible module plugins/modules/keyring_info.py. The module retrieves a passphrase from the operating system's native keyring (such as GNOME Keyring, macOS Keychain, or Windows Credential Manager) and places it directly into the output result without any suppression or protection.

Specifically, although the input passphrase is marked with no_log=True to protect it, the output passphrase is assigned to result["passphrase"] without any no_log protection or documentation warning. This causes the passphrase to be visible in Ansible outputs, debug logs, fact caching backends, and job logs.

Impact Analysis

This vulnerability can lead to sensitive credentials such as master passwords, SSH key passphrases, and service credentials being exposed in plaintext in various outputs and logs.

  • Passphrases appear in all Ansible output when using register and debug.
  • Ansible fact caching backends like Redis, JSON files, or memcached may persist these passphrases.
  • AWX/Tower job logs silently store the live credentials, increasing the risk of unauthorized access.
Detection Guidance

This vulnerability can be detected by observing Ansible output or logs for the presence of sensitive passphrases in plaintext. Specifically, if a task uses the keyring_info module and the passphrase appears in the output or debug information without suppression, it indicates the vulnerability.

You can check for this by running an Ansible playbook that uses the keyring_info module with a registered variable and then printing that variable with debug. For example:

  • ansible-playbook playbook.yml --tags keyring_info
  • In the playbook, use register: keyring_result followed by debug: var=keyring_result

If the output shows the passphrase in plaintext under keyring_result.passphrase, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include modifying the keyring_info module to suppress the passphrase output by using the _ansible_no_log=True flag when returning the passphrase.

Additionally, callers of the module should use no_log: true at the task level to prevent the passphrase from appearing in logs or output.

Avoid registering and printing the passphrase variable directly in playbooks or debug tasks.

Compliance Impact

This vulnerability causes sensitive information such as master passwords, SSH key passphrases, and service credentials to be exposed in Ansible outputs, logs, and fact caching backends without proper protection.

Such exposure of sensitive credentials can lead to non-compliance with common security and privacy standards like GDPR and HIPAA, which require strict controls to protect sensitive data and prevent unauthorized disclosure.

Specifically, the lack of output suppression and no_log protection means that confidential information may be stored in logs and caches, increasing the risk of data breaches and violating data protection requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart