GHSA-g3jr-4jrm-jvqv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g3jr-4jrm-jvqv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g3jr-4jrm-jvqv/GHSA-g3jr-4jrm-jvqv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g3jr-4jrm-jvqv
- Aliases
-
- CVE-2026-41018
- PYSEC-2026-22
- Downstream
- Published
- 2026-05-11T09:30:32Z
- Modified
- 2026-05-20T08:11:33.457137936Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL
- Details
-
The Elasticsearch logging provider, when configured with a
hostURL that embeds credentials (for examplehttps://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade toapache-airflow-providers-elasticsearch6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the[elasticsearch] hostURL. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-05-15T17:26:58Z", "nvd_published_at": "2026-05-11T09:16:25Z", "cwe_ids": [ "CWE-532" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-41018
- https://github.com/apache/airflow/pull/65349
- https://github.com/apache/airflow/commit/f9244064016a8db45277efb0c24808e663b233f3
- https://github.com/apache/airflow
- https://lists.apache.org/thread/wz5l58drprmwlv6jxnq466x24jqbbhp7
- http://www.openwall.com/lists/oss-security/2026/05/10/3
Affected packages
PyPI / apache-airflow-providers-elasticsearch
Package
- Name
- apache-airflow-providers-elasticsearch
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow-providers-elasticsearch
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.5.3
Affected versions
1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
1.0.2rc1
1.0.2
1.0.3rc1
1.0.3
1.0.4rc1
1.0.4
2.*
2.0.0rc1
2.0.0
2.0.1rc1
2.0.1
2.0.2rc1
2.0.2rc2
2.0.2
2.0.3rc1
2.0.3
2.1.0rc1
2.1.0
2.2.0rc3
2.2.0
3.*
3.0.0rc1
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2
3.0.3rc1
3.0.3
4.*
4.0.0rc1
4.0.0rc2
4.0.0
4.1.0rc1
4.1.0
4.2.0rc1
4.2.0rc2
4.2.0rc3
4.2.0
4.2.1rc1
4.2.1
4.3.0rc1
4.3.0
4.3.1rc2
4.3.1rc3
4.3.1
4.3.2rc1
4.3.2rc2
4.3.2
4.3.3rc1
4.3.3
4.4.0rc1
4.4.0
4.5.0rc1
4.5.0rc2
4.5.0
4.5.1rc1
4.5.1
5.*
5.0.0rc1
5.0.0rc2
5.0.0rc3
5.0.0
5.0.1rc1
5.0.1
5.0.2rc1
5.0.2
5.1.0rc1
5.1.0
5.1.1rc1
5.1.1
5.2.0rc1
5.2.0
5.3.0rc1
5.3.0
5.3.1rc1
5.3.1
5.3.2rc1
5.3.2
5.3.3rc1
5.3.3
5.3.4rc1
5.3.4
5.4.0rc1
5.4.0rc2
5.4.0
5.4.1rc1
5.4.1
5.4.2rc1
5.4.2
5.5.0rc1
5.5.0
5.5.1rc1
5.5.1
5.5.2rc1
5.5.2
5.5.3rc1
5.5.3
6.*
6.0.0rc1
6.0.0rc2
6.0.0
6.1.0
6.2.0rc1
6.2.0
6.2.1rc1
6.2.1
6.2.2rc1
6.2.2
6.3.0rc1
6.3.0
6.3.1rc1
6.3.1
6.3.2rc1
6.3.2
6.3.3rc1
6.3.3
6.3.4rc1
6.3.4
6.3.5rc1
6.3.5
6.4.0rc1
6.4.0
6.4.1rc1
6.4.1
6.4.2rc1
6.4.2
6.4.3rc1
6.4.3
6.4.4rc1
6.4.4
6.5.0rc1
6.5.0rc2
6.5.0rc3
6.5.0
6.5.1rc1
6.5.1
6.5.2rc1
6.5.2
6.5.3rc1