GHSA-87GP-WMHR-WGCW
Vulnerability from github – Published: 2026-06-23 21:30 – Updated: 2026-06-26 00:32Module: plugins/modules/nexmo.py
CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection.
Vulnerable Code (lines 82-93):
msg = { "api_key": module.params.get("api_key"), "api_secret": module.params.get("api_secret"), "from": module.params.get("src"), "text": module.params.get("msg"), } url = f"{NEXMO_API}?{urlencode(msg)}" response, info = fetch_url(module, url, headers=headers)
Observed Output:
https://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello
Exposure Vectors:
Ansible verbose output (-vvv) logs the full request URL
Vonage/Nexmo server access logs record credentials in query string
HTTP proxies, SIEM, and network inspection tools capture the full URL
AWX/Automation Controller network debug logs
Fix: Switch to POST with credentials in the request body:
data = urlencode({"api_key": api_key, "api_secret": api_secret, "from": src, "to": number, "text": msg}) fetch_url(module, NEXMO_API, data=data, method="POST", headers={"Content-Type": "application/x-www-form-urlencoded"})
{
"affected": [],
"aliases": [
"CVE-2026-11820"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-23T21:16:54Z",
"severity": "MODERATE"
},
"details": "Module: plugins/modules/nexmo.py\n\nCVSS 3.1: 6.5 MEDIUM \u2014 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N \n\nIssue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. \n\nVulnerable Code (lines 82-93):\n\nmsg = {\n\"api_key\": module.params.get(\"api_key\"),\n\"api_secret\": module.params.get(\"api_secret\"),\n\"from\": module.params.get(\"src\"),\n\"text\": module.params.get(\"msg\"),\n}\nurl = f\"{NEXMO_API}?{urlencode(msg)}\"\nresponse, info = fetch_url(module, url, headers=headers)\n\nObserved Output:\n\nhttps://rest.nexmo.com/sms/json?api_key=a1b2c3d4\u0026api_secret=MyS3cr3tK3y!!\u0026from=AnsibleBot\u0026to=15551234567\u0026text=Hello\n\nExposure Vectors: \n\nAnsible verbose output (-vvv) logs the full request URL \n\nVonage/Nexmo server access logs record credentials in query string \n\nHTTP proxies, SIEM, and network inspection tools capture the full URL \n\nAWX/Automation Controller network debug logs\n\nFix: Switch to POST with credentials in the request body:\n\ndata = urlencode({\"api_key\": api_key, \"api_secret\": api_secret,\n\"from\": src, \"to\": number, \"text\": msg})\nfetch_url(module, NEXMO_API, data=data, method=\"POST\",\nheaders={\"Content-Type\": \"application/x-www-form-urlencoded\"})",
"id": "GHSA-87gp-wmhr-wgcw",
"modified": "2026-06-26T00:32:03Z",
"published": "2026-06-23T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11820"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-11820"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.