CVE-2026-43826

MEDIUM 6.5

Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:[email protected]:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL.

CWE	CWE-532
Vendor	apache software foundation
Product	apache airflow providers opensearch
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow providers opensearch

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow providers opensearch are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow Providers OpenSearch

0 < 1.9.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/65509 lists.apache.org: https://lists.apache.org/thread/bxsrqx1vwssovnwnrvgh9xcosptmf73y openwall.com: http://www.openwall.com/lists/oss-security/2026/05/10/2

Credits

Aleksandr Sozinov Owen-CH-Leung Jarek Potiuk