oss-sec mailing list archives
CVE-2026-43826: Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL
From: Shahar Epstein <shahar () apache org>
Date: Sun, 10 May 2026 19:28:36 +0000
Severity: low Affected versions: - Apache Airflow Providers OpenSearch (apache-airflow-providers-opensearch) before 1.9.1 Description: The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password () server example com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL. Credit: Aleksandr Sozinov (finder) Owen-CH-Leung (finder) Jarek Potiuk (remediation developer) References: https://github.com/apache/airflow/pull/65509 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43826
Current thread:
- CVE-2026-43826: Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL Shahar Epstein (May 10)
