CVE-2026-11820
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
A flaw in the community.general Ansible collection's nexmo module sends API credentials (api_key and api_secret) as URL query parameters via GET requests. This exposes credentials in web server logs, proxy logs, HTTP Referer headers, and network monitoring tools, despite the Ansible argument specification marking these parameters as no_log.
Risk Assessment
An attacker with access to logs or network monitoring can obtain full API credentials and gain unauthorized access to the victim's Vonage/Nexmo account, potentially leading to financial theft, impersonation, or other abuses.
Recommendation
Immediately update the community.general collection to a patched version and rotate the Vonage/Nexmo API credentials. Until the update, avoid using the nexmo module or use alternative authentication methods.
Original NVD description (English source)
A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials (api_key and api_secret) into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web server access logs, proxy logs, HTTP Referer headers, and network monitoring tools, despite the Ansible argument specification marking these parameters as no_log. An attacker with access to any of these logging or monitoring points can obtain the full API credentials and gain unauthorized access to the victim's Vonage/Nexmo account.

