{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-11820", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-09T17:27:33.388Z", "datePublished": "2026-06-23T19:53:19.664Z", "dateUpdated": "2026-06-25T23:23:47.329Z"}, "containers": {"cna": {"title": "Community.general: community.general nexmo \u2014 api credentials exposed in get url query string[security] community.general nexmo \u2014 api credentials exposed in get url query string", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the community.general Ansible collection's nexmo module.\nThe module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding\nAPI credentials (api_key and api_secret) into URL query parameters and\nsending them via GET requests. This causes credentials to be exposed in web\nserver access logs, proxy logs, HTTP Referer headers, and network monitoring\ntools, despite the Ansible argument specification marking these parameters\nas no_log. An attacker with access to any of these logging or monitoring\npoints can obtain the full API credentials and gain unauthorized access to\nthe victim's Vonage/Nexmo account."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhel-system-roles", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhc-worker-playbook", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhel-system-roles", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhel-system-roles", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-11820", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488970", "name": "RHBZ#2488970", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-06-15T01:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-532: Insertion of Sensitive Information into Log File", "workarounds": [{"lang": "en", "value": "The following practices would help for avoiding exposure and mitigate this\nflaw:\n- If possible, stop using the community.general nexmo module entirely. It is\n deprecated upstream and was removed in community.general 9.0.0. Consider\n using the Vonage API directly via the community.general uri module with\n POST method and credentials in the request body.\n- Review web server, proxy, and load balancer access logs for any recorded\n Vonage API URLs containing api_key and api_secret parameters. Rotate any\n credentials found in logs.\n- Restrict access to HTTP access logs on systems where the nexmo module has\n been used.\n- Configure proxy and web server logging to redact or exclude query string\n parameters from URL logging where possible."}], "timeline": [{"lang": "en", "time": "2026-06-15T18:38:43.346Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-15T01:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Bipin Saud (https://www.linkedin.com/in/bipinsaud/) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-25T23:23:47.329Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T12:39:10.319686Z", "id": "CVE-2026-11820", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:39:46.552Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-11820", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-24T12:39:10.319686Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:39:42.927Z"}}], "cna": {"title": "Community.general: community.general nexmo \u2014 api credentials exposed in get url query string[security] community.general nexmo \u2014 api credentials exposed in get url query string", "credits": [{"lang": "en", "value": "Red Hat would like to thank Bipin Saud (https://www.linkedin.com/in/bipinsaud/) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "rhel-system-roles", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "rhc-worker-playbook", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "rhel-system-roles", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "rhel-system-roles", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2026-06-15T18:38:43.346Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-15T01:00:00.000Z", "value": "Made public."}], "datePublic": "2026-06-15T01:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-11820", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488970", "name": "RHBZ#2488970", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Module: plugins/modules/nexmo.py\n\nCVSS 3.1: 6.5 MEDIUM \u2014 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N \n\nIssue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. \n\nVulnerable Code (lines 82-93):\n\nmsg = {\n\"api_key\": module.params.get(\"api_key\"),\n\"api_secret\": module.params.get(\"api_secret\"),\n\"from\": module.params.get(\"src\"),\n\"text\": module.params.get(\"msg\"),\n}\nurl = f\"{NEXMO_API}?{urlencode(msg)}\"\nresponse, info = fetch_url(module, url, headers=headers)\n\nObserved Output:\n\nhttps://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello\n\nExposure Vectors: \n\nAnsible verbose output (-vvv) logs the full request URL \n\nVonage/Nexmo server access logs record credentials in query string \n\nHTTP proxies, SIEM, and network inspection tools capture the full URL \n\nAWX/Automation Controller network debug logs\n\nFix: Switch to POST with credentials in the request body:\n\ndata = urlencode({\"api_key\": api_key, \"api_secret\": api_secret,\n\"from\": src, \"to\": number, \"text\": msg})\nfetch_url(module, NEXMO_API, data=data, method=\"POST\",\nheaders={\"Content-Type\": \"application/x-www-form-urlencoded\"})"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-23T19:53:19.664Z"}, "x_redhatCweChain": "CWE-532: Insertion of Sensitive Information into Log File"}}, "cveMetadata": {"cveId": "CVE-2026-11820", "state": "PUBLISHED", "dateUpdated": "2026-06-24T12:39:46.552Z", "dateReserved": "2026-06-09T17:27:33.388Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-06-23T19:53:19.664Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{}

{"acknowledgement": "Red Hat would like to thank Bipin Saud (https://www.linkedin.com/in/bipinsaud/) for reporting this issue.", "bugzilla": {"description": "community.general: community.general nexmo \u2014 API credentials exposed in GET URL query string[SECURITY] community.general nexmo \u2014 API credentials exposed in GET URL query string", "id": "2488970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488970"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-532", "details": ["Module: plugins/modules/nexmo.py\nCVSS 3.1: 6.5 MEDIUM \u2014 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N \nIssue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. \nVulnerable Code (lines 82-93):\nmsg = {\n\"api_key\": module.params.get(\"api_key\"),\n\"api_secret\": module.params.get(\"api_secret\"),\n\"from\": module.params.get(\"src\"),\n\"text\": module.params.get(\"msg\"),\n}\nurl = f\"{NEXMO_API}?{urlencode(msg)}\"\nresponse, info = fetch_url(module, url, headers=headers)\nObserved Output:\nhttps://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello\nExposure Vectors: \nAnsible verbose output (-vvv) logs the full request URL \nVonage/Nexmo server access logs record credentials in query string \nHTTP proxies, SIEM, and network inspection tools capture the full URL \nAWX/Automation Controller network debug logs\nFix: Switch to POST with credentials in the request body:\ndata = urlencode({\"api_key\": api_key, \"api_secret\": api_secret,\n\"from\": src, \"to\": number, \"text\": msg})\nfetch_url(module, NEXMO_API, data=data, method=\"POST\",\nheaders={\"Content-Type\": \"application/x-www-form-urlencoded\"})"], "name": "CVE-2026-11820", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Under investigation", "package_name": "rhel-system-roles", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "rhc-worker-playbook", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "rhel-system-roles", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "rhel-system-roles", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-15T01:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-11820\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-11820"], "statement": "Code Flaw initial found in community.general 13.0.0, however, the same code logic is found in older versions going back at least to 8.3.", "threat_severity": "Moderate"}