Skip to main content

Apache Airflow Elasticsearch Provider CVE-2026-41018

| EUVDEUVD-2026-29040 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-11 apache GHSA-g3jr-4jrm-jvqv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 11, 2026 - 14:22 vuln.today
Analysis Generated
May 11, 2026 - 14:22 vuln.today
CVSS changed
May 11, 2026 - 14:22 NVD
6.5 (MEDIUM)
CVE Published
May 11, 2026 - 08:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 08:21 nvd
MEDIUM 6.5

DescriptionCVE.org

The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL - including the embedded credentials - into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-elasticsearch 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [elasticsearch] host URL.

AnalysisAI

Apache Airflow Elasticsearch provider writes embedded credentials from the [elasticsearch] host configuration URL directly into task logs, allowing any user with task-log read permissions to harvest backend authentication credentials. The vulnerability affects Apache Airflow Providers Elasticsearch versions before 6.5.3 and has been patched by stripping userinfo from the host URL before logging. EPSS exploitation probability is low (0.02%, percentile 4%), indicating limited real-world exploitation despite the sensitive nature of credential exposure.

Technical ContextAI

The Elasticsearch logging provider in Apache Airflow accepts a host URL in the format https://user:password@server.example.com:9200 via the [elasticsearch] host configuration parameter. This URL is reused as a display label for log-source grouping in task logs. When Elasticsearch search results do not include a host field, the code falls back to using the raw configuration URL as a dictionary key in log output. Because the URL contains embedded credentials, the full user:password@ portion was exposed in plaintext in task logs accessible to any Airflow user with read permissions on task logs. The root cause is CWE-532 (Insertion of Sensitive Information into Log File), combined with insufficient input sanitization when constructing log output. The fix introduces a _strip_userinfo() function that parses the URL and reconstructs it without the username and password components before using it as a log label, while maintaining the full URL for actual Elasticsearch client authentication.

RemediationAI

Upgrade Apache Airflow Providers Elasticsearch to version 6.5.3 or later. The patched version strips the user:password@ portion from the host URL before it is written to task logs, eliminating credential exposure while preserving authentication functionality. Additionally, as a defense-in-depth measure independent of the patch, configure Elasticsearch backend credentials via Apache Airflow's secret backend (such as environment variables, Kubernetes Secrets, or HashiCorp Vault) rather than embedding them directly in the [elasticsearch] host URL. This approach removes credentials from configuration files and logs entirely and is the recommended long-term practice. Organizations unable to upgrade immediately should restrict task-log read permissions to administrators only and audit existing task logs for credential exposure. The patch is available from the upstream GitHub repository at https://github.com/apache/airflow/pull/65349.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-41018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy