CVE-2026-41018
ADVISORY - githubSummary
The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-elasticsearch 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [elasticsearch] host URL.
EPSS Score: 0.00051 (0.164)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Insertion of Sensitive Information into Log File
ADVISORY - github
Insertion of Sensitive Information into Log File
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-41018
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
6.5mediumGitHub
CREATED
UPDATED
ADVISORY IDGHSA-g3jr-4jrm-jvqv
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
6.5mediumUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-41018
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AmediumPypA
CREATED
UPDATED
ADVISORY ID
PYSEC-2026-22
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
6.5mediumminimos
CREATED
UPDATED
ADVISORY ID
MINI-gwj8-7xhj-jrp4
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-q8r3-w7vw-c2wr
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-