PT-2026-36084 · Apache Airflow · Apache-Airflow-Providers-Smtp
Francis Bergin
+1
·
Published
2026-04-30
·
Updated
2026-04-30
·
CVE-2026-41016
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
apache-airflow-providers-smtp (affected versions not specified)
Description
The
SmtpHook component in the SMTP provider calls the Python function smtplib.SMTP.starttls() without an SSL context. This omission prevents certificate validation during the TLS upgrade. Consequently, a man-in-the-middle attacker positioned between the Airflow worker and the SMTP server could present a self-signed certificate to complete the STARTTLS upgrade and capture SMTP credentials transmitted during the login() call.Recommendations
Upgrade to the version of
apache-airflow-providers-smtp that contains the fix.Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache-Airflow-Providers-Smtp