Severity: low Affected versions:
- Apache Airflow Providers OpenSearch (apache-airflow-providers-opensearch) before 1.9.1 Description: The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:[email protected]:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-opensearch` 1.9.1 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[opensearch] host` URL. Credit: Aleksandr Sozinov (finder) Owen-CH-Leung (finder) Jarek Potiuk (remediation developer) References: https://github.com/apache/airflow/pull/65509 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43826
