CVE Catalog

CVE-2026-11819

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

The Ansible keyring_info module leaks SSH key passphrases and other secrets in plaintext to Ansible logs, AWX/Tower, and fact cache backends. Despite the input parameter being marked no_log=True, the module output is unprotected, allowing any user with log access to read the passphrase.

Risk Assessment

The organization risks exposure of master passwords, SSH key passphrases, and service credentials in Ansible logs, potentially leading to unauthorized system and data access. Secrets may be persistently stored in fact cache backends (Redis, JSON, memcached) and AWX/Tower job logs.

Recommendation

Immediately update the keyring_info module to a version that includes the _ansible_no_log=True fix in the module.exit_json call. Additionally, set no_log: true at the task level for all invocations of this module.

Original NVD description (English source)

Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning. Root Cause: Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True) Line 127 (NOT protected): result["passphrase"] = passphrase Observed Output: { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } Visible via register + debug: { "keyring_result": { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } } Impact: Master passwords, SSH key passphrases and service credentials appear in all Ansible output register: keyring_result followed by debug: var=keyring_result prints passphrase in full Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase AWX/Tower job logs silently store the live credential Fix: module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) Also add a documentation warning requiring callers to use no_log: true at the task level. PoCs Fig 1: PoC execution showing passphrase in plaintext output Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127)

Vulnerability data from NVD (NIST) · CISA KEV · EPSS