Apache Airflow · Apache Airflow Providers Opensearch · CVE-2026-43826
**Name of the Vulnerable Software and Affected Versions**
apache-airflow-providers-opensearch versions prior to 1.9.1
**Description**
The OpenSearch logging provider writes the full host URL into task logs when configured with a `host` URL that embeds credentials. This allows any user with task-log read permissions to harvest the backend credentials.
**Recommendations**
Upgrade to version 1.9.1 or later.
Configure backend credentials via a secret backend instead of embedding them in the `host` URL.