CVE-2026-41018

MEDIUM 6.5

Apache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URL

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:[email protected]:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-elasticsearch` 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[elasticsearch] host` URL.

CWE	CWE-532
Vendor	apache software foundation
Product	apache airflow providers elasticsearch
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow providers elasticsearch

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow providers elasticsearch are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow Providers Elasticsearch

0 < 6.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/65349 lists.apache.org: https://lists.apache.org/thread/wz5l58drprmwlv6jxnq466x24jqbbhp7 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/10/3

Credits

Aleksandr Sozinov Jarek Potiuk