CVE-2026-43826
OpenSearch Credential Exposure in Apache Airflow Provider
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache_airflow_providers_opensearch | From 1.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes backend credentials embedded in the OpenSearch host URL within task logs, allowing any user with task-log read permission to access sensitive authentication details.
Such exposure of sensitive credentials could lead to unauthorized access to systems and data, potentially violating data protection requirements under standards like GDPR and HIPAA, which mandate strict controls over access to sensitive information.
Mitigations include upgrading to apache-airflow-providers-opensearch version 1.9.1 or later and configuring backend credentials via a secret backend rather than embedding them in the host URL, reducing the risk of credential leakage and helping maintain compliance.
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-43826 involves the OpenSearch logging provider in Apache Airflow. When configured with a host URL that includes embedded credentials (such as username and password), the full URL including these sensitive credentials was written into task logs.
This means that any user who has permission to read task logs could access and harvest these backend credentials, leading to a credential leak.
The issue was fixed by removing the embedded user information from the URL before logging, ensuring that credentials are not exposed in logs while still allowing the OpenSearch client to connect using the full URL.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive backend credentials embedded in the OpenSearch host URL.
If an attacker or unauthorized user has task-log read permissions, they could extract these credentials from the logs and potentially gain unauthorized access to the backend OpenSearch service.
Such unauthorized access could lead to further compromise of data, disruption of services, or escalation of privileges within your environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting task logs for the presence of embedded credentials within OpenSearch host URLs. Specifically, look for URLs in the logs that include user information in the format `https://user:[email protected]:9200`.
You can search task logs for patterns matching embedded credentials using commands such as:
- grep -rE 'https?://[^:@]+:[^@]+@' /path/to/airflow/logs
- grep -r 'user:password@' /path/to/airflow/logs
These commands search recursively through logs for URLs containing embedded user credentials, which indicate exposure of sensitive information due to this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the `apache-airflow-providers-opensearch` package to version 1.9.1 or later.
Additionally, as a defense-in-depth measure, avoid embedding credentials directly in the `[opensearch] host` URL. Instead, configure backend credentials using a secret backend.
These steps prevent credentials from being logged in task logs and reduce the risk of credential leakage.