PYSEC-2026-22

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-elasticsearch/PYSEC-2026-22.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-22

Aliases

CVE-2026-41018
GHSA-g3jr-4jrm-jvqv

Published

2026-05-11T09:16:25.990Z

Modified

2026-05-20T09:18:51.903060Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-elasticsearch 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [elasticsearch] host URL.

References

Affected packages

PyPI / apache-airflow-providers-elasticsearch

Package

Name: apache-airflow-providers-elasticsearch; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow-providers-elasticsearch

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.3

Affected versions

1.*

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

1.0.1rc1

1.0.1

1.0.2rc1

1.0.2

1.0.3rc1

1.0.3

1.0.4rc1

1.0.4

2.*

2.0.0rc1

2.0.0

2.0.1rc1

2.0.1

2.0.2rc1

2.0.2rc2

2.0.2

2.0.3rc1

2.0.3

2.1.0rc1

2.1.0

2.2.0rc3

2.2.0

3.*

3.0.0rc1

3.0.0

3.0.1rc1

3.0.1

3.0.2rc1

3.0.2

3.0.3rc1

3.0.3

4.*

4.0.0rc1

4.0.0rc2

4.0.0

4.1.0rc1

4.1.0

4.2.0rc1

4.2.0rc2

4.2.0rc3

4.2.0

4.2.1rc1

4.2.1

4.3.0rc1

4.3.0

4.3.1rc2

4.3.1rc3

4.3.1

4.3.2rc1

4.3.2rc2

4.3.2

4.3.3rc1

4.3.3

4.4.0rc1

4.4.0

4.5.0rc1

4.5.0rc2

4.5.0

4.5.1rc1

4.5.1

5.*

5.0.0rc1

5.0.0rc2

5.0.0rc3

5.0.0

5.0.1rc1

5.0.1

5.0.2rc1

5.0.2

5.1.0rc1

5.1.0

5.1.1rc1

5.1.1

5.2.0rc1

5.2.0

5.3.0rc1

5.3.0

5.3.1rc1

5.3.1

5.3.2rc1

5.3.2

5.3.3rc1

5.3.3

5.3.4rc1

5.3.4

5.4.0rc1

5.4.0rc2

5.4.0

5.4.1rc1

5.4.1

5.4.2rc1

5.4.2

5.5.0rc1

5.5.0

5.5.1rc1

5.5.1

5.5.2rc1

5.5.2

5.5.3rc1

5.5.3

6.*

6.0.0rc1

6.0.0rc2

6.0.0

6.1.0

6.2.0rc1

6.2.0

6.2.1rc1

6.2.1

6.2.2rc1

6.2.2

6.3.0rc1

6.3.0

6.3.1rc1

6.3.1

6.3.2rc1

6.3.2

6.3.3rc1

6.3.3

6.3.4rc1

6.3.4

6.3.5rc1

6.3.5

6.4.0rc1

6.4.0

6.4.1rc1

6.4.1

6.4.2rc1

6.4.2

6.4.3rc1

6.4.3

6.4.4rc1

6.4.4

6.5.0rc1

6.5.0rc2

6.5.0rc3

6.5.0

6.5.1rc1

6.5.1

6.5.2rc1

6.5.2

6.5.3rc1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-elasticsearch/PYSEC-2026-22.yaml"