{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/airflow-providers-opensearch--1.9.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Airflow Providers OpenSearch (\u003c 1.9.1)"],"_cs_severities":["low"],"_cs_tags":["credential-leak","airflow","opensearch"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eApache Airflow Providers OpenSearch versions before 1.9.1 are vulnerable to a credentials leak. When configured with a \u003ccode\u003ehost\u003c/code\u003e URL that embeds credentials (e.g., \u003ccode\u003ehttps://user:password@server.example.com:9200\u003c/code\u003e), the OpenSearch logging provider writes the full host URL, including the embedded credentials, into task logs. This vulnerability, identified as CVE-2026-43826, allows any user with task-log read permission to potentially harvest the backend credentials, leading to unauthorized access or data breaches. The issue was reported on May 10, 2026, and defenders should prioritize upgrading to version 1.9.1 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator configures the Apache Airflow OpenSearch logging provider.\u003c/li\u003e\n\u003cli\u003eThe administrator includes credentials directly within the \u003ccode\u003ehost\u003c/code\u003e URL of the OpenSearch configuration (e.g., \u003ccode\u003ehttps://user:password@opensearch.example.com:9200\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAirflow executes a task that generates logs.\u003c/li\u003e\n\u003cli\u003eThe OpenSearch logging provider writes the task logs, including the full \u003ccode\u003ehost\u003c/code\u003e URL with embedded credentials, to the Airflow task logs.\u003c/li\u003e\n\u003cli\u003eA user with read access to the Airflow task logs views the logs through the Airflow UI or API.\u003c/li\u003e\n\u003cli\u003eThe user observes the OpenSearch \u003ccode\u003ehost\u003c/code\u003e URL, which contains the plaintext credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the harvested credentials to access the OpenSearch cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to data stored within the OpenSearch cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-43826) allows unauthorized users with task-log read permission to obtain sensitive credentials for the OpenSearch cluster. The impact is significant as it can lead to a complete compromise of the OpenSearch backend, allowing attackers to read, modify, or delete data stored within the cluster. This vulnerability affects all Apache Airflow Providers OpenSearch installations prior to version 1.9.1 that use embedded credentials in the OpenSearch host URL.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Apache Airflow Providers OpenSearch to version 1.9.1 or later to remediate CVE-2026-43826.\u003c/li\u003e\n\u003cli\u003eReview and sanitize existing Airflow task logs to remove any instances of embedded credentials.\u003c/li\u003e\n\u003cli\u003eAvoid embedding credentials directly in the OpenSearch \u003ccode\u003ehost\u003c/code\u003e URL. Use alternative authentication mechanisms such as environment variables or secrets management.\u003c/li\u003e\n\u003cli\u003eRestrict access to Airflow task logs based on the principle of least privilege.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T19:46:52Z","date_published":"2026-05-10T19:46:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-airflow-opensearch-creds-leak/","summary":"The OpenSearch logging provider in Apache Airflow Providers OpenSearch versions before 1.9.1 wrote host URLs containing embedded credentials into task logs, potentially exposing them to unauthorized users with task-log read permission (CVE-2026-43826).","title":"Apache Airflow OpenSearch Provider Credentials Leak via Task Logs (CVE-2026-43826)","url":"https://feed.craftedsignal.io/briefs/2026-05-airflow-opensearch-creds-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Airflow Providers OpenSearch (\u003c 1.9.1)","version":"https://jsonfeed.org/version/1.1"}