Description
The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The OpenSearch logging provider wrote the complete host URL, including embedded credentials, into task logs whenever the configuration used a URL of the form https://user:password@server.example.com:9200. This allows any user with task‑log read permission to acquire backend credentials, compromising authentication secrets and the confidentiality of the system. The weakness is a classic instance of insecure data handling, classified under CWE‑532.

Affected Systems

Apache Software Foundation and the Apache Airflow Providers OpenSearch component are affected. No specific version ranges are supplied in the available data, so the vulnerability may exist in any release that includes the vulnerable logging code until patched.

Risk and Exploitability

Because the exploit requires only that a user read task logs and that the host URL contains embedded credentials, the risk is moderate to high for any environment granting broad log access. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation. Nevertheless, an attacker could harvest valid credentials to access the OpenSearch backend, potentially enabling further compromise.

Generated by OpenCVE AI on May 11, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apache-airflow-providers-opensearch to version 1.9.1 or newer
  • Configure backend credentials via a secret backend instead of embedding them in the opensearch host URL
  • Limit task‑log read permissions to only users who must have access

Generated by OpenCVE AI on May 11, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL.
Title Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL
Weaknesses CWE-532
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-11T13:02:08.325Z

Reserved: 2026-05-02T14:15:15.880Z

Link: CVE-2026-43826

cve-icon Vulnrichment

Updated: 2026-05-11T09:12:42.100Z

cve-icon NVD

Status : Received

Published: 2026-05-11T09:16:26.143

Modified: 2026-05-11T14:16:31.370

Link: CVE-2026-43826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T09:30:33Z

Weaknesses