CVE-2026-11820

Module: plugins/modules/nexmo.py

CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Issue: api key and api secret are declared no log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no log protection.

Vulnerable Code (lines 82-93):

msg = { "api key": module.params.get("api key"), "api secret": module.params.get("api secret"), "from": module.params.get("src"), "text": module.params.get("msg"), } url = f"{NEXMO API}?{urlencode(msg)}" response, info = fetch url(module, url, headers=headers)

Observed Output:

https://rest.nexmo.com/sms/json?api key=a1b2c3d4&api secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello

Exposure Vectors:

Ansible verbose output (-vvv) logs the full request URL

Vonage/Nexmo server access logs record credentials in query string

HTTP proxies, SIEM, and network inspection tools capture the full URL

AWX/Automation Controller network debug logs

Fix: Switch to POST with credentials in the request body:

data = urlencode({"api key": api key, "api secret": api secret, "from": src, "to": number, "text": msg}) fetch url(module, NEXMO API, data=data, method="POST", headers={"Content-Type": "application/x-www-form-urlencoded"})