CVE-2026-11819 Overview
CVE-2026-11819 is an information disclosure vulnerability in the Ansible plugins/modules/keyring_info.py module. The module retrieves a passphrase from the operating system's native keyring, including GNOME Keyring, macOS Keychain, and Windows Credential Manager. It then places the retrieved secret directly into result["passphrase"] without applying no_log protection or output suppression. As a result, master passwords, SSH key passphrases, and service credentials appear in plaintext across Ansible task output, registered variables, fact caches, and AWX/Tower job logs. The flaw is categorized under [CWE-532] Insertion of Sensitive Information into Log File.
Critical Impact
Secrets retrieved from OS keyrings are exposed in Ansible stdout, fact caching backends (Redis, JSON, memcached), and AWX/Tower job histories, enabling credential harvesting by anyone with access to logs.
Affected Products
- Ansible collections shipping plugins/modules/keyring_info.py
- Deployments using Ansible fact caching (Redis, JSON file, memcached) with this module
- AWX and Red Hat Ansible Automation Platform (Tower) job log retention environments
Discovery Timeline
- 2026-06-23 - CVE-2026-11819 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-11819
Vulnerability Analysis
The keyring_info module reads a credential from an OS native keyring and returns it to the Ansible controller. Input handling protects the lookup password using keyring_password=dict(type="str", required=True, no_log=True) on line 105. However, the output path on line 127 assigns the retrieved value with result["passphrase"] = passphrase and emits it via module.exit_json() without _ansible_no_log=True. Ansible therefore treats the field as standard output and prints it whenever the task result is rendered.
Observed task output contains the live credential:
{
"changed": false,
"passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret"
}
When a playbook uses register: keyring_result followed by debug: var=keyring_result, the passphrase is printed in full. Fact caching backends persist the value to disk or memory stores, and AWX/Tower retain the credential in job event logs.
Root Cause
The root cause is asymmetric no_log enforcement. The module author protected the input argument but did not mark the output field as sensitive. Ansible has no mechanism to infer that a returned key named passphrase should be redacted. The documentation also omits any warning instructing callers to apply no_log: true at the task level.
Attack Vector
Exploitation requires local access with valid Ansible execution privileges. An authenticated user who can read playbook output, fact cache files, or AWX job histories recovers the cleartext secret. The vulnerability does not affect integrity or availability; it discloses high-value confidentiality material that often unlocks downstream systems such as SSH keys and password vaults.
Detection Methods for CVE-2026-11819
Indicators of Compromise
- Ansible stdout or ansible-playbook -v output containing a passphrase key with a non-empty string value.
- Fact cache files under the configured fact_caching_connection path containing serialized keyring_result objects with cleartext secrets.
- AWX/Tower job event records where event_data.res.passphrase is populated.
- Redis or memcached entries keyed by Ansible host names that include a passphrase field.
Detection Strategies
- Grep Ansible log directories and fact cache stores for the literal token "passphrase": followed by a quoted string.
- Query the AWX API endpoint /api/v2/job_events/ for res.passphrase and flag any non-null occurrence.
- Inspect playbooks for invocations of keyring_info that lack a task-level no_log: true.
Monitoring Recommendations
- Enable file integrity monitoring on Ansible controller log directories and fact cache backends.
- Alert on read access to AWX job event tables by non-administrative accounts.
- Audit Redis and memcached instances used for fact caching for keys containing credential field names.
How to Mitigate CVE-2026-11819
Immediate Actions Required
- Add no_log: true to every task that invokes the keyring_info module until a patched module version is deployed.
- Rotate any passphrases, SSH key secrets, or service credentials previously retrieved through the affected module.
- Purge fact cache stores and AWX/Tower job event logs that may contain disclosed secrets.
- Restrict read access to Ansible controller logs, fact caching backends, and AWX job histories to least-privilege roles.
Patch Information
The upstream fix updates the module to call module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) so Ansible redacts the value in all output paths. The maintainers are also adding a documentation warning instructing callers to set no_log: true at the task level. Track remediation through the Red Hat CVE-2026-11819 Advisory and Red Hat Bug Report #2487251.
Workarounds
- Wrap every keyring_info task with no_log: true at the task or block level to suppress output rendering.
- Disable fact caching for plays that use keyring_info, or scope caching to non-sensitive hosts only.
- Configure AWX/Tower job output verbosity to the lowest setting and shorten event retention windows.
# Configuration example: enforce no_log on the keyring_info invocation
- name: Retrieve SSH key passphrase from OS keyring
community.general.keyring_info:
service: ssh
username: deploy
keyring_password: "{{ vault_keyring_password }}"
register: keyring_result
no_log: true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

