Apache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URL
Summary
| CVE | CVE-2026-41018 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-11 09:16:25 UTC |
| Updated | 2026-05-11 10:16:13 UTC |
| Description | The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:[email protected]:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-elasticsearch` 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[elasticsearch] host` URL. |
Risk And Classification
Problem Types: CWE-532 | CWE-532 CWE-532: Insertion of Sensitive Information into Log File
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Airflow Providers Elasticsearch | affected 6.5.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.apache.org/thread/wz5l58drprmwlv6jxnq466x24jqbbhp7 | [email protected] | lists.apache.org | |
| github.com/apache/airflow/pull/65349 | [email protected] | github.com | |
| www.openwall.com/lists/oss-security/2026/05/10/3 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Aleksandr Sozinov (en)
CNA: Jarek Potiuk (en)
There are currently no legacy QID mappings associated with this CVE.