Bug 2487251 (CVE-2026-11819) - CVE-2026-11819 community.general: community.general keyring_info — OS keyring passphrase returned in plaintext
Summary: CVE-2026-11819 community.general: community.general keyring_info — OS keyring...
Keywords:
Status: NEW
Alias: CVE-2026-11819
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 19:17 UTC by OSIDB Bzimport
Modified: 2026-06-26 13:03 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 19:17:44 UTC
Hi Red Hat Security Team, 

I am reporting a vulnerability in community.general v13.0.0

Module: plugins/modules/keyring_info.py 

CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 

Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning.

Comment 3 Thomas Eagle 2026-06-26 13:03:53 UTC
This flaw affects the community.general Ansible collection's keyring_info
module in all versions since its introduction in version 5.2.0. Red Hat
ships ansible-collection-community-general in several product streams
(EPEL, Fedora, OpenStack). The module returns OS keyring passphrases in
plaintext in Ansible task output, making them visible in logs and monitoring
systems. As a workaround, users should add no_log: true at the task level
when using this module. The companion keyring module (write-side) is not
affected.


Note You need to log in before you can comment on or make changes to this bug.