CVE-2026-11819
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The Ansible keyring_info module leaks a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) into task results because the output is not protected by the no_log flag. The passphrase appears in registered output, AWX/Tower logs, and Ansible fact cache backends.
Risk Assessment
The organization risks exposure of master passwords, SSH key passphrases, and service credentials in Ansible logs, potentially leading to unauthorized access to systems and data.
Recommendation
Immediately update the keyring_info module to a version containing the fix (_ansible_no_log=True) and add no_log: true at the task level in the playbook. Review existing logs and fact cache for leaked passphrases.
Original NVD description (English source)
Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning. Root Cause: Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True) Line 127 (NOT protected): result["passphrase"] = passphrase Observed Output: { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } Visible via register + debug: { "keyring_result": { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } } Impact: Master passwords, SSH key passphrases and service credentials appear in all Ansible output register: keyring_result followed by debug: var=keyring_result prints passphrase in full Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase AWX/Tower job logs silently store the live credential Fix: module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) Also add a documentation warning requiring callers to use no_log: true at the task level. PoCs Fig 1: PoC execution showing passphrase in plaintext output Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127)

