Apache Airflow Providers OpenSearch and Elasticsearch Information Disclosure Vulnerabilities

Multiple information disclosure vulnerabilities have been identified in Apache Airflow Providers for OpenSearch and Elasticsearch. An authenticated, remote attacker could leverage these flaws to potentially access sensitive information. The vulnerabilities reside within the provider components that facilitate interaction with OpenSearch and Elasticsearch. This issue was reported on May 11, 2026, and affects installations utilizing the specified providers. Defenders should investigate and mitigate the identified weaknesses to prevent unauthorized data access.

Attack Chain

1. Attacker authenticates to the Apache Airflow instance.
2. Attacker crafts a malicious request targeting the OpenSearch or Elasticsearch provider.
3. The request exploits a vulnerability in the provider’s data handling or access control mechanisms.
4. The provider processes the request and inadvertently discloses sensitive information.
5. The information is returned to the attacker, potentially including credentials, configuration details, or other sensitive data.
6. Attacker analyzes the disclosed information to identify further attack vectors or sensitive assets.

Impact

Successful exploitation of these vulnerabilities can lead to the disclosure of sensitive information, potentially including credentials, internal configurations, or business-critical data stored within OpenSearch or Elasticsearch. This can allow the attacker to gain unauthorized access to other systems, escalate privileges, or cause further damage. The number of affected installations is unknown, but any Apache Airflow instance using the vulnerable providers is at risk.

Recommendation

• Investigate the specific vulnerabilities within the Apache Airflow Providers OpenSearch and Elasticsearch components.
• Monitor Apache Airflow logs for suspicious activity related to OpenSearch and Elasticsearch connections (logsource: process_creation, product: linux).
• Implement strict access control policies to limit access to Apache Airflow and its providers.
• Deploy the Sigma rule provided to detect potential exploitation attempts (title: “Detect Suspicious Airflow OpenSearch/Elasticsearch Requests”).