The vulnerability in Red Hat Enterprise Linux 10's Ansible nexmo.py module arises because sensitive credentials (api_key and api_secret) are declared with no_log=True to prevent logging, but are then URL-encoded into a GET request's query parameters. This bypasses the no_log protection and causes the credentials to be exposed in various logs and network captures. The CVSS 3.1 score is 6.5 (medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity or availability impact. The recommended fix is to switch to using POST requests with credentials in the request body, preventing exposure in URLs and logs.

Sensitive API credentials (api_key and api_secret) are exposed in cleartext within URLs, which are logged by Ansible verbose output, Vonage/Nexmo server access logs, HTTP proxies, SIEM, network inspection tools, and AWX/Automation Controller debug logs. This exposure can lead to unauthorized access to the affected API services, compromising confidentiality. There is no impact on integrity or availability.

A patch is available that changes the request method from GET to POST and moves credentials from URL query parameters to the request body, preventing credential exposure in logs and network captures. Since this is a cloud service component, the vendor manages remediation for the cloud-hosted service; users should apply the updated Ansible module or Red Hat Enterprise Linux 10 updates as provided by Red Hat. Check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11820 for the latest remediation guidance and apply official fixes promptly.