PT-2026-45382 · Apache · Apache Airflow

·

CVE-2026-49267

·

Published

2026-06-01

·

Updated

2026-07-13

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2
Description The EmailOperator and airflow.utils.email helpers establish SMTP STARTTLS connections without verifying the remote certificate when the deployment is configured with smtp starttls=True and smtp ssl=False. This allows an attacker positioned between the worker and the SMTP server to perform a Man-in-the-Middle (MITM) attack by presenting a self-signed certificate. Consequently, the attacker can silently complete the STARTTLS handshake and capture SMTP AUTH credentials and the contents of forwarded messages.
Recommendations Upgrade to version 3.2.2 or later.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BIT-AIRFLOW-2026-49267
CVE-2026-49267
GHSA-799X-QP47-8QWQ
PYSEC-2026-2346

Affected Products

Apache Airflow