CVE-2026-43826 in Airflow Providers OpenSearchinformação

Sumário

de MITRE • 11/05/2026

The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:[email protected]:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Divulgação

11/05/2026

Moderação

aceite

Entrada

VDB-362579

CPE

pronto

CWE

CWE-532 (confirmado)

CVSS

4.3 (VulDB)

EPSS

0.00051

KEV

não

Atividades

muito baixo

Sector

Industry, Energy, ...

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-43826
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-43826
CVE Details	https://www.cvedetails.com/cve/CVE-2026-43826/

◂ Voltar Visão Geral Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!