Information Exposure Through Log Files The advisory has been revoked - it doesn't affect any version of package airflow-2-compat  (opens in a new tab)

The Minimos security team deemed this advisory irrelevant for Minimos:latest.

Note: Versions mentioned in the description apply only to the upstream airflow-2-compat package and not the airflow-2-compat package as distributed by Minimos.

The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-elasticsearch 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [elasticsearch] host URL.

• https://www.cve.org/CVERecord?id=CVE-2026-41018
• https://github.com/advisories/GHSA-g3jr-4jrm-jvqv
• https://osv.dev/vulnerability/MINI-q8r3-w7vw-c2wr
• https://osv.dev/vulnerability/CVE-2026-41018
• https://github.com/apache/airflow/pull/65349
• https://lists.apache.org/thread/wz5l58drprmwlv6jxnq466x24jqbbhp7
• http://www.openwall.com/lists/oss-security/2026/05/10/3