Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The OpenSearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL - including the embedded credentials - into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-opensearch 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [opensearch] host URL.
AnalysisAI
Apache Airflow Providers OpenSearch versions before 1.9.1 leak backend credentials in task logs when the OpenSearch connection host URL embeds credentials in the format https://user:password@server:9200. Any user with task-log read permission can extract these credentials from log output. The vulnerability is confirmed patched in version 1.9.1 and later, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the moderate CVSS score.
Technical ContextAI
The OpenSearch task-log handler in Apache Airflow stores connection URLs directly as log-source labels without sanitization. When the [opensearch] host configuration embeds HTTP Basic Authentication credentials as userinfo in the URL (per RFC 3986), these credentials persist into task-log output as dictionary keys when log hits do not carry their own host field. The underlying issue is improper handling of URL parsing and credential stripping before reusing the host URL as a display label. CWE-532 (Insertion of Sensitive Information into Log File) categorizes this as information exposure through logging rather than a flaw in the OpenSearch client itself. The fix implements a _strip_userinfo() function that parses the URL and reconstructs it without the user:password@ portion before using it as a log label.
RemediationAI
Upgrade to Apache Airflow Providers OpenSearch 1.9.1 or later immediately. This version strips embedded credentials from the host URL before using it as a log-source label, as documented in the PR diff and changelog at https://github.com/apache/airflow/pull/65509. As a defense-in-depth measure, configure OpenSearch backend credentials via a secret backend (Airflow's Secret Backend abstraction or environment variables) rather than embedding them directly in the [opensearch] host URL configuration. This alternative approach eliminates the attack surface entirely and is the recommended long-term posture. The patch has no breaking changes or performance impact - credential handling for the OpenSearch client remains identical; only log output sanitization is enhanced. For organizations unable to upgrade immediately, restrict task-log read permissions to only trusted administrative users and audit who has accessed logs containing OpenSearch connections.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29042
GHSA-xccp-97wp-3gjg