The OpenSearch logging provider wrote the complete host URL, including embedded credentials, into task logs whenever the configuration used a URL of the form https://user:password@server.example.com:9200. This allows any user with task‑log read permission to acquire backend credentials, compromising authentication secrets and the confidentiality of the system. The weakness is a classic instance of insecure data handling, classified under CWE‑532.

Apache Software Foundation and the Apache Airflow Providers OpenSearch component are affected. No specific version ranges are supplied in the available data, so the vulnerability may exist in any release that includes the vulnerable logging code until patched.

The CVSS score is 6.5, indicating a medium severity. Because the exploit requires only that a user read task logs and that the host URL contains embedded credentials, the risk is moderate to high for any environment granting broad log access. The EPSS score is 0.00017, indicating a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation. Nevertheless, an attacker could harvest valid credentials to access the OpenSearch backend, potentially enabling further compromise.