Description
The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-elasticsearch` 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[elasticsearch] host` URL.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Elasticsearch logging provider incorrectly records the full host URL in task logs, even when that URL contains embedded credentials. A user with read access to task logs can obtain the Elasticsearch backend username and password. This is a direct out‑of‑band leakage of sensitive information and is identified as CWE-532.

Affected Systems

The vulnerability affects the Apache Airflow Providers Elasticsearch package supplied by the Apache Software Foundation. Versions prior to 6.5.3 are vulnerable; users should upgrade to 6.5.3 or newer, which removes the automatic logging of embedded credentials.

Risk and Exploitability

Because the data is written to logs, an attacker only needs permission to view task logs to harvest the credentials. The exploit requires no special network access and can be performed by any privileged user within the Airflow environment, making it a high‑risk internal threat. EPSS is unavailable and the vulnerability is not listed in the CISA KEV catalog, but its impact remains significant due to credential exposure.

Generated by OpenCVE AI on May 11, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apache-airflow-providers-elasticsearch to version 6.5.3 or later
  • Reconfigure the [elasticsearch] host URL to remove any embedded username and password; store credentials in a secret backend instead
  • Review existing task logs for exposed credentials and clear them
  • Restrict task‑log read permissions to only those users who absolutely need them

Generated by OpenCVE AI on May 11, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-elasticsearch` 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[elasticsearch] host` URL.
Title Apache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URL
Weaknesses CWE-532
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-11T12:59:39.211Z

Reserved: 2026-04-16T03:09:25.534Z

Link: CVE-2026-41018

cve-icon Vulnrichment

Updated: 2026-05-11T09:12:35.601Z

cve-icon NVD

Status : Received

Published: 2026-05-11T09:16:25.990

Modified: 2026-05-11T14:16:31.053

Link: CVE-2026-41018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T09:30:33Z

Weaknesses