logo

Database

Sensitive information stored in logs In apache-airflow-providers-opensearch

Description

Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL The OpenSearch logging provider, when configured with a host URL that embeds credentials (for example https://user:[email protected]:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-opensearch 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [opensearch] host URL.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-438262. NVD-2026-438263. OSV-2026-438264. GCVE-2026-43826

References

1. https://github.com/apache/airflow/pull/655092. https://github.com/apache/airflow/commit/6a6b6ff409fb48c28bd63482828632a3c5a5bb933. https://github.com/apache/airflow4. https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow-providers-opensearch/PYSEC-2026-23.yaml5. https://lists.apache.org/thread/bxsrqx1vwssovnwnrvgh9xcosptmf73y6. http://www.openwall.com/lists/oss-security/2026/05/10/2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.