Skip to main content

Apache Airflow Providers OpenSearch CVE-2026-43826

| EUVDEUVD-2026-29042 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-11 apache GHSA-xccp-97wp-3gjg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 11, 2026 - 14:22 vuln.today
Analysis Generated
May 11, 2026 - 14:22 vuln.today
CVSS changed
May 11, 2026 - 14:22 NVD
6.5 (MEDIUM)
CVE Published
May 11, 2026 - 08:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 08:21 nvd
MEDIUM 6.5

DescriptionCVE.org

The OpenSearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL - including the embedded credentials - into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-opensearch 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [opensearch] host URL.

AnalysisAI

Apache Airflow Providers OpenSearch versions before 1.9.1 leak backend credentials in task logs when the OpenSearch connection host URL embeds credentials in the format https://user:password@server:9200. Any user with task-log read permission can extract these credentials from log output. The vulnerability is confirmed patched in version 1.9.1 and later, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the moderate CVSS score.

Technical ContextAI

The OpenSearch task-log handler in Apache Airflow stores connection URLs directly as log-source labels without sanitization. When the [opensearch] host configuration embeds HTTP Basic Authentication credentials as userinfo in the URL (per RFC 3986), these credentials persist into task-log output as dictionary keys when log hits do not carry their own host field. The underlying issue is improper handling of URL parsing and credential stripping before reusing the host URL as a display label. CWE-532 (Insertion of Sensitive Information into Log File) categorizes this as information exposure through logging rather than a flaw in the OpenSearch client itself. The fix implements a _strip_userinfo() function that parses the URL and reconstructs it without the user:password@ portion before using it as a log label.

RemediationAI

Upgrade to Apache Airflow Providers OpenSearch 1.9.1 or later immediately. This version strips embedded credentials from the host URL before using it as a log-source label, as documented in the PR diff and changelog at https://github.com/apache/airflow/pull/65509. As a defense-in-depth measure, configure OpenSearch backend credentials via a secret backend (Airflow's Secret Backend abstraction or environment variables) rather than embedding them directly in the [opensearch] host URL configuration. This alternative approach eliminates the attack surface entirely and is the recommended long-term posture. The patch has no breaking changes or performance impact - credential handling for the OpenSearch client remains identical; only log output sanitization is enhanced. For organizations unable to upgrade immediately, restrict task-log read permissions to only trusted administrative users and audit who has accessed logs containing OpenSearch connections.

Share

CVE-2026-43826 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy