Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL - including the embedded credentials - into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-elasticsearch 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [elasticsearch] host URL.
AnalysisAI
Apache Airflow Elasticsearch provider writes embedded credentials from the [elasticsearch] host configuration URL directly into task logs, allowing any user with task-log read permissions to harvest backend authentication credentials. The vulnerability affects Apache Airflow Providers Elasticsearch versions before 6.5.3 and has been patched by stripping userinfo from the host URL before logging. EPSS exploitation probability is low (0.02%, percentile 4%), indicating limited real-world exploitation despite the sensitive nature of credential exposure.
Technical ContextAI
The Elasticsearch logging provider in Apache Airflow accepts a host URL in the format https://user:password@server.example.com:9200 via the [elasticsearch] host configuration parameter. This URL is reused as a display label for log-source grouping in task logs. When Elasticsearch search results do not include a host field, the code falls back to using the raw configuration URL as a dictionary key in log output. Because the URL contains embedded credentials, the full user:password@ portion was exposed in plaintext in task logs accessible to any Airflow user with read permissions on task logs. The root cause is CWE-532 (Insertion of Sensitive Information into Log File), combined with insufficient input sanitization when constructing log output. The fix introduces a _strip_userinfo() function that parses the URL and reconstructs it without the username and password components before using it as a log label, while maintaining the full URL for actual Elasticsearch client authentication.
RemediationAI
Upgrade Apache Airflow Providers Elasticsearch to version 6.5.3 or later. The patched version strips the user:password@ portion from the host URL before it is written to task logs, eliminating credential exposure while preserving authentication functionality. Additionally, as a defense-in-depth measure independent of the patch, configure Elasticsearch backend credentials via Apache Airflow's secret backend (such as environment variables, Kubernetes Secrets, or HashiCorp Vault) rather than embedding them directly in the [elasticsearch] host URL. This approach removes credentials from configuration files and logs entirely and is the recommended long-term practice. Organizations unable to upgrade immediately should restrict task-log read permissions to administrators only and audit existing task logs for credential exposure. The patch is available from the upstream GitHub repository at https://github.com/apache/airflow/pull/65349.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29040
GHSA-g3jr-4jrm-jvqv