UBUNTU-CVE-2026-43826

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-43826

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43826.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-43826

Upstream

CVE-2026-43826

Published

2026-05-11T09:16:00Z

Modified

2026-05-14T14:53:42.644355Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

The OpenSearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-opensearch 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [opensearch] host URL.

References

Affected packages

Ubuntu:24.04:LTS / opensearch

Package

Name: opensearch
Purl: pkg:deb/ubuntu/opensearch@2.4.1+dfsg-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.1+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.4.1+dfsg-2",
            "binary_name": "libopensearch-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43826.json"