The vulnerability exists in the Ansible module plugins/modules/keyring_info.py in Red Hat Enterprise Linux 10. The module retrieves passphrases from OS native keyrings (GNOME Keyring, macOS Keychain, Windows Credential Manager) and assigns them to result["passphrase"] without applying output suppression or no_log protection. This causes the sensitive passphrase to be visible in Ansible output, debug registers, fact caching backends, and AWX/Tower job logs. The root cause is that while the input parameter keyring_password is marked with no_log=True, the output passphrase is not protected. The CVSS 3.1 score is 5.5 (medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vendor advisory does not specify a patch or remediation level. The recommended fix involves adding _ansible_no_log=True on module exit and documenting the need for no_log: true at the task level.

Sensitive credentials such as master passwords, SSH key passphrases, and service credentials can be exposed in plaintext in Ansible output, debug logs, fact caching backends (Redis, JSON file, memcached), and AWX/Tower job logs. This exposure risks unauthorized disclosure of critical secrets, potentially compromising system security. The vulnerability does not affect integrity or availability but has a high confidentiality impact.

Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11819 for current remediation guidance. Until a fix is available, users should avoid registering or debugging the passphrase variable in Ansible tasks using this module. Applying no_log: true at the task level is recommended to suppress sensitive output. Monitor the vendor advisory for official fixes or updates.