Homepage

Information Exposure Through Log Files Affecting airflow-3 package, versions <3.2.2-r0

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Information Exposure Through Log Files vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-MINIMOSLATEST-AIRFLOW3-16748989
  • published18 May 2026
  • disclosed11 May 2026
Report a new vulnerability Found a mistake?

Introduced: 11 May 2026

NewCVE-2026-41018  (opens in a new tab)
CWE-532  (opens in a new tab)

How to fix?

Upgrade Minimos:latest airflow-3 to version 3.2.2-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream airflow-3 package and not the airflow-3 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

The Elasticsearch logging provider, when configured with a host URL that embeds credentials (for example https://user:password@server.example.com:9200), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to apache-airflow-providers-elasticsearch 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the [elasticsearch] host URL.