Bug 2488970 (CVE-2026-11820) - CVE-2026-11820 community.general: community.general nexmo — API credentials exposed in GET URL query string[SECURITY] community.general nexmo — API credentials exposed in GET URL query string
Summary: CVE-2026-11820 community.general: community.general nexmo — API credentials e...
Keywords:
Status: NEW
Alias: CVE-2026-11820
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-15 18:44 UTC by OSIDB Bzimport
Modified: 2026-06-25 19:39 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-15 18:44:27 UTC
api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection

Comment 2 Thomas Eagle 2026-06-25 19:38:02 UTC
A flaw was found in the community.general Ansible collection's nexmo module
(plugins/modules/nexmo.py). The send_msg() function constructs the Vonage
REST API URL by encoding all message parameters — including api_key and
api_secret — into the URL query string using urlencode(), then makes a GET
request via fetch_url(). While the module's Ansible argument specification
correctly declares api_key and api_secret with no_log=True (preventing
Ansible from logging the raw parameter values in task output), the module's
own HTTP implementation embeds the credentials directly in the request URL.
This exposes the credentials through multiple channels: (1) web server and
reverse proxy access logs, which routinely record full request URLs; (2) HTTP
Referer headers sent to downstream servers; (3) network packet inspection
and monitoring tools; (4) Ansible callback plugins or verbose output that
may log the URL. The Vonage REST API supports POST requests with credentials
in the request body, making this a correctable implementation deficiency. The
vulnerability affects all versions of community.general that include the nexmo
module, confirmed back to at least version 6.3.0. The nexmo module is
deprecated upstream and was removed in community.general 9.0.0, but older
versions remain packaged in Red Hat product streams.

    Upstream: https://github.com/ansible-collections/community.general
    Affected version: all (confirmed back to 6.3.0)
    Fixed version: 9.0.0 (module removed; no in-place fix for older versions)
    Reporter: Bipin Saud / okBoss


Note You need to log in before you can comment on or make changes to this bug.