CVE-2026-11820

Summary

A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials (api_key and api_secret) into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web server access logs, proxy logs, HTTP Referer headers, and network monitoring tools, despite the Ansible argument specification marking these parameters as no_log. An attacker with access to any of these logging or monitoring points can obtain the full API credentials and gain unauthorized access to the victim's Vonage/Nexmo account.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-532: Insertion of Sensitive Information into Log File

Workarounds

The following practices would help for avoiding exposure and mitigate this flaw:

  • If possible, stop using the community.general nexmo module entirely. It is deprecated upstream and was removed in community.general 9.0.0. Consider using the Vonage API directly via the community.general uri module with POST method and credentials in the request body.
  • Review web server, proxy, and load balancer access logs for any recorded Vonage API URLs containing api_key and api_secret parameters. Rotate any credentials found in logs.
  • Restrict access to HTTP access logs on systems where the nexmo module has been used.
  • Configure proxy and web server logging to redact or exclude query string parameters from URL logging where possible.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References