oss-sec mailing list archives

CVE-2026-43826: Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL


From: Shahar Epstein <shahar () apache org>
Date: Sun, 10 May 2026 19:28:36 +0000

Severity: low 

Affected versions:

- Apache Airflow Providers OpenSearch (apache-airflow-providers-opensearch) before 1.9.1

Description:

The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example 
`https://user:password () server example com:9200`), wrote the full host URL — including the embedded credentials — 
into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to 
upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the 
backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL.

Credit:

Aleksandr Sozinov (finder)
Owen-CH-Leung (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/65509
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43826


Current thread: