CVE-2026-41018

MEDIUMNVD 6.56.5—

6.5

The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-elasticsearch 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [elasticsearch] host URL.

CVSS v3: 6.5
EG Score: 6.5(medium)
EPSS: 16.1%
KEV: Not listed

Published

May 11, 2026

Last Modified

May 13, 2026

Advisory Details (3)

Auto-updated May 11, 2026

No patch confirmed yet.

generic

oss-security - CVE-2026-41018: Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL

http://www.openwall.com/lists/oss-security/2026/05/10/3

generic

https://lists.apache.org/thread/wz5l58drprmwlv6jxnq466x24jqbbhp7

generic

Strip userinfo from ES host URL before using it as task-log label by potiuk · Pull Request #65349 · apache/airflow · GitHub

https://github.com/apache/airflow/pull/65349

Vendor Advisories for CVE-2026-41018(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-g3jr-4jrm-jvqv
GitHub Security AdvisoriesMedium
Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL

Frequently asked(5)

What is CVE-2026-41018?

CVE-2026-41018 is a medium vulnerability published on May 11, 2026. The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend…

When was CVE-2026-41018 disclosed?

CVE-2026-41018 was first published in the National Vulnerability Database on May 11, 2026, with the most recent update on May 13, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-41018 actively exploited?

CVE-2026-41018 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 16.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2026-41018?

CVE-2026-41018 has a CVSS v3 base score of 6.5 (NVD).

How do I remediate CVE-2026-41018?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-41018, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-41018

Explore →

Is Your Infrastructure Affected by CVE-2026-41018?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-41018

📅 Published

🔄 Last Modified

📋 Advisory Details (3)

oss-security - CVE-2026-41018: Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL

Strip userinfo from ES host URL before using it as task-log label by potiuk · Pull Request #65349 · apache/airflow · GitHub

📣 Vendor Advisories for CVE-2026-41018(1)

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2026-41018?

Published

Last Modified

Advisory Details (3)

Vendor Advisories for CVE-2026-41018(1)

Frequently asked(5)