PT-2026-39579 · Apache Airflow · Apache Airflow Providers Opensearch

Aleksandr Sozinov

+2

·

Published

2026-05-11

·

Updated

2026-05-11

·

CVE-2026-43826

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions apache-airflow-providers-opensearch versions prior to 1.9.1
Description The OpenSearch logging provider writes the full host URL into task logs when configured with a host URL that embeds credentials. This allows any user with task-log read permissions to harvest the backend credentials.
Recommendations Upgrade to version 1.9.1 or later. Configure backend credentials via a secret backend instead of embedding them in the host URL.

Exploit

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43826
GHSA-XCCP-97WP-3GJG
PYSEC-2026-23

Affected Products

Apache Airflow Providers Opensearch