CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-43826

The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 16.3%

CVSS Severity

CVSS v3 Score 6.5

References

Products affected by CVE-2026-43826

Apache » Apache-Airflow-Providers-Opensearch » Version: 1.0.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.0.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.1.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.1.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.1.1

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.1.1
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.1.2

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.1.2
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.2.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.2.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.2.1

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.2.1
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.3.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.3.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.4.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.4.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.5.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.5.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.6.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.6.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.6.1

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.6.1
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.6.2

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.6.2
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.6.3

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.6.3
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.7.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.7.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.7.1

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.7.1
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.7.2

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.7.2
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.7.3

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.7.3
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.7.4

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.7.4
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.7.5

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.7.5
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.8.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.8.0
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.8.1

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.8.1
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.8.2

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.8.2
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.8.3

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.8.3
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.8.4

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.8.4
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.8.5

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.8.5
Apache » Apache-Airflow-Providers-Opensearch » Version: 1.9.0

cpe:2.3:a:apache:apache-airflow-providers-opensearch:1.9.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-43826

Products

Pricing

Contact Us