VulnerableCode Package Details - pkg:pypi/apache-airflow-providers-elasticsearch@4.3.1rc3

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/apache-airflow-providers-elasticsearch@4.3.1rc3

purl	pkg:pypi/apache-airflow-providers-elasticsearch@4.3.1rc3

Next non-vulnerable version	6.5.3
Latest non-vulnerable version	6.5.3
Risk

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-y9wb-1dkz-zqf6 Aliases: CVE-2026-41018 PYSEC-2026-22	The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend credentials. Users are advised to upgrade to `apache-airflow-providers-elasticsearch` 6.5.3 or later and, as a defense-in-depth measure, configure the backend credentials via a secret backend rather than embedding them in the `[elasticsearch] host` URL.	6.5.3 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T20:38:23.081503+00:00	Pypa Importer	Affected by	VCID-y9wb-1dkz-zqf6	https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-elasticsearch/PYSEC-2026-22.yaml	38.6.0