GHSA-xccp-97wp-3gjg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xccp-97wp-3gjg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xccp-97wp-3gjg/GHSA-xccp-97wp-3gjg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xccp-97wp-3gjg
- Aliases
-
- CVE-2026-43826
- PYSEC-2026-23
- Published
- 2026-05-11T09:30:32Z
- Modified
- 2026-05-20T08:11:33.695716135Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL
- Details
-
The OpenSearch logging provider, when configured with a
hostURL that embeds credentials (for examplehttps://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade toapache-airflow-providers-opensearch1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the[opensearch] hostURL. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2026-05-11T09:16:26Z", "cwe_ids": [ "CWE-532" ], "github_reviewed_at": "2026-05-15T17:30:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-43826
- https://github.com/apache/airflow/pull/65509
- https://github.com/apache/airflow/commit/6a6b6ff409fb48c28bd63482828632a3c5a5bb93
- https://github.com/apache/airflow
- https://lists.apache.org/thread/bxsrqx1vwssovnwnrvgh9xcosptmf73y
- http://www.openwall.com/lists/oss-security/2026/05/10/2
Affected packages
PyPI / apache-airflow-providers-opensearch
Package
- Name
- apache-airflow-providers-opensearch
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow-providers-opensearch
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.9.1
Affected versions
1.*
1.0.0rc1
1.0.0
1.1.0rc1
1.1.0
1.1.1rc1
1.1.1
1.1.2rc1
1.1.2
1.2.0rc1
1.2.0
1.2.1rc1
1.2.1
1.3.0rc1
1.3.0
1.4.0rc1
1.4.0
1.5.0rc1
1.5.0
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1rc1
1.6.1
1.6.2rc1
1.6.2
1.6.3rc1
1.6.3
1.7.0rc1
1.7.0
1.7.1rc1
1.7.1
1.7.2rc1
1.7.2
1.7.3rc1
1.7.3
1.7.4rc1
1.7.4
1.7.5rc1
1.7.5
1.8.0rc1
1.8.0
1.8.1rc1
1.8.1
1.8.2rc1
1.8.2
1.8.3rc1
1.8.3
1.8.4rc1
1.8.4
1.8.5rc1
1.8.5
1.9.0rc1
1.9.0
1.9.1rc1