CVE-2026-43826

Published: Mag 11, 2026 Last Modified: Mag 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:[email protected]:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL.

532

Insertion of Sensitive Information into Log File

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Application Data
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
http://www.openwall.com/lists/oss-security/2026/05/10/2
http://www.openwall.com/lists/oss-security/2026/05/10/2
https://github.com/apache/airflow/pull/65509
https://github.com/apache/airflow/pull/65509
https://lists.apache.org/thread/bxsrqx1vwssovnwnrvgh9xcospt…
https://lists.apache.org/thread/bxsrqx1vwssovnwnrvgh9xcosptmf73y