{"id":"PYSEC-2026-22","details":"The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-elasticsearch` 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[elasticsearch] host` URL.","aliases":["CVE-2026-41018","GHSA-g3jr-4jrm-jvqv"],"modified":"2026-05-20T09:18:51.903060Z","published":"2026-05-11T09:16:25.990Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/05/10/3"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/wz5l58drprmwlv6jxnq466x24jqbbhp7"},{"type":"FIX","url":"https://github.com/apache/airflow/pull/65349"}],"affected":[{"package":{"name":"apache-airflow-providers-elasticsearch","ecosystem":"PyPI","purl":"pkg:pypi/apache-airflow-providers-elasticsearch"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.5.3"}]}],"versions":["1.0.0","1.0.0b1","1.0.0b2","1.0.0rc1","1.0.1","1.0.1rc1","1.0.2","1.0.2rc1","1.0.3","1.0.3rc1","1.0.4","1.0.4rc1","2.0.0","2.0.0rc1","2.0.1","2.0.1rc1","2.0.2","2.0.2rc1","2.0.2rc2","2.0.3","2.0.3rc1","2.1.0","2.1.0rc1","2.2.0","2.2.0rc3","3.0.0","3.0.0rc1","3.0.1","3.0.1rc1","3.0.2","3.0.2rc1","3.0.3","3.0.3rc1","4.0.0","4.0.0rc1","4.0.0rc2","4.1.0","4.1.0rc1","4.2.0","4.2.0rc1","4.2.0rc2","4.2.0rc3","4.2.1","4.2.1rc1","4.3.0","4.3.0rc1","4.3.1","4.3.1rc2","4.3.1rc3","4.3.2","4.3.2rc1","4.3.2rc2","4.3.3","4.3.3rc1","4.4.0","4.4.0rc1","4.5.0","4.5.0rc1","4.5.0rc2","4.5.1","4.5.1rc1","5.0.0","5.0.0rc1","5.0.0rc2","5.0.0rc3","5.0.1","5.0.1rc1","5.0.2","5.0.2rc1","5.1.0","5.1.0rc1","5.1.1","5.1.1rc1","5.2.0","5.2.0rc1","5.3.0","5.3.0rc1","5.3.1","5.3.1rc1","5.3.2","5.3.2rc1","5.3.3","5.3.3rc1","5.3.4","5.3.4rc1","5.4.0","5.4.0rc1","5.4.0rc2","5.4.1","5.4.1rc1","5.4.2","5.4.2rc1","5.5.0","5.5.0rc1","5.5.1","5.5.1rc1","5.5.2","5.5.2rc1","5.5.3","5.5.3rc1","6.0.0","6.0.0rc1","6.0.0rc2","6.1.0","6.2.0","6.2.0rc1","6.2.1","6.2.1rc1","6.2.2","6.2.2rc1","6.3.0","6.3.0rc1","6.3.1","6.3.1rc1","6.3.2","6.3.2rc1","6.3.3","6.3.3rc1","6.3.4","6.3.4rc1","6.3.5","6.3.5rc1","6.4.0","6.4.0rc1","6.4.1","6.4.1rc1","6.4.2","6.4.2rc1","6.4.3","6.4.3rc1","6.4.4","6.4.4rc1","6.5.0","6.5.0rc1","6.5.0rc2","6.5.0rc3","6.5.1","6.5.1rc1","6.5.2","6.5.2rc1","6.5.3rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-elasticsearch/PYSEC-2026-22.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}