Francis Bergin

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.2 **Description** The EmailOperator and `airflow.utils.email` helpers establish SMTP STARTTLS connections without verifying the remote certificate when the deployment is configured with `smtp starttls=True` and `smtp ssl=False`. This allows an attacker positioned between the worker and the SMTP server to perform a Man-in-the-Middle (MITM) attack by presenting a self-signed certificate. Consequently, the attacker can silently complete the STARTTLS handshake and capture SMTP AUTH credentials and the contents of forwarded messages. **Recommendations** Upgrade to version 3.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** apache-airflow-providers-smtp (affected versions not specified) **Description** The `SmtpHook` component in the SMTP provider calls the Python function `smtplib.SMTP.starttls()` without an SSL context. This omission prevents certificate validation during the TLS upgrade. Consequently, a man-in-the-middle attacker positioned between the Airflow worker and the SMTP server could present a self-signed certificate to complete the STARTTLS upgrade and capture SMTP credentials transmitted during the `login()` call. **Recommendations** Upgrade to the version of `apache-airflow-providers-smtp` that contains the fix.