CVE-2026-11820
Analyzed
Analyzed - Analysis Complete
Credentials Leak via GET Request in Ansible Nexmo Module
Vulnerability report for CVE-2026-11820, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-23
Last updated on: 2026-07-01
Assigner: Red Hat, Inc.
Description
Description
A flaw was found in the community.general Ansible collection's nexmo module.
The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding
API credentials (api_key and api_secret) into URL query parameters and
sending them via GET requests. This causes credentials to be exposed in web
server access logs, proxy logs, HTTP Referer headers, and network monitoring
tools, despite the Ansible argument specification marking these parameters
as no_log. An attacker with access to any of these logging or monitoring
points can obtain the full API credentials and gain unauthorized access to
the victim's Vonage/Nexmo account.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |