{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-11820","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-06-09T17:27:33.388Z","datePublished":"2026-06-23T19:53:19.664Z","dateUpdated":"2026-06-25T23:23:47.329Z"},"containers":{"cna":{"title":"Community.general: community.general nexmo — api credentials exposed in get url query string[security] community.general nexmo — api credentials exposed in get url query string","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in the community.general Ansible collection's nexmo module.\nThe module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding\nAPI credentials (api_key and api_secret) into URL query parameters and\nsending them via GET requests. This causes credentials to be exposed in web\nserver access logs, proxy logs, HTTP Referer headers, and network monitoring\ntools, despite the Ansible argument specification marking these parameters\nas no_log. An attacker with access to any of these logging or monitoring\npoints can obtain the full API credentials and gain unauthorized access to\nthe victim's Vonage/Nexmo account."}],"affected":[{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhel-system-roles","defaultStatus":"unknown","cpes":["cpe:/o:redhat:enterprise_linux:10"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhc-worker-playbook","defaultStatus":"unknown","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhel-system-roles","defaultStatus":"unknown","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhel-system-roles","defaultStatus":"unknown","cpes":["cpe:/o:redhat:enterprise_linux:9"]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-11820","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2488970","name":"RHBZ#2488970","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-06-15T01:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-532","description":"Insertion of Sensitive Information into Log File","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-532: Insertion of Sensitive Information into Log File","workarounds":[{"lang":"en","value":"The following practices would help for avoiding exposure and mitigate this\nflaw:\n- If possible, stop using the community.general nexmo module entirely. It is\n  deprecated upstream and was removed in community.general 9.0.0. Consider\n  using the Vonage API directly via the community.general uri module with\n  POST method and credentials in the request body.\n- Review web server, proxy, and load balancer access logs for any recorded\n  Vonage API URLs containing api_key and api_secret parameters. Rotate any\n  credentials found in logs.\n- Restrict access to HTTP access logs on systems where the nexmo module has\n  been used.\n- Configure proxy and web server logging to redact or exclude query string\n  parameters from URL logging where possible."}],"timeline":[{"lang":"en","time":"2026-06-15T18:38:43.346Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-15T01:00:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Bipin Saud (https://www.linkedin.com/in/bipinsaud/) for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-06-25T23:23:47.329Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-24T12:39:10.319686Z","id":"CVE-2026-11820","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-24T12:39:46.552Z"}}]}}