Skip to main content

Apache Airflow SMTP Provider CVE-2026-41016

| EUVDEUVD-2026-26359 MEDIUM
Improper Certificate Validation (CWE-295)
2026-04-30 apache
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Source Code Evidence Fetched
Apr 30, 2026 - 14:24 vuln.today
Analysis Generated
Apr 30, 2026 - 14:24 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
5.9 (MEDIUM)
EUVD ID Assigned
Apr 30, 2026 - 10:00 euvd
EUVD-2026-26359
Analysis Generated
Apr 30, 2026 - 10:00 vuln.today
Patch released
Apr 30, 2026 - 10:00 nvd
Patch available
CVE Published
Apr 30, 2026 - 09:09 nvd
MEDIUM 5.9

DescriptionCVE.org

Apache Airflow's SMTP provider SmtpHook called Python's smtplib.SMTP.starttls() without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent login() call. Users are advised to upgrade to the apache-airflow-providers-smtp version that contains the fix.

AnalysisAI

Apache Airflow's SmtpHook performs STARTTLS upgrades without SSL certificate validation, allowing man-in-the-middle attackers to intercept SMTP credentials. Remote unauthenticated attackers positioned between an Airflow worker and SMTP server can present a self-signed certificate, complete the TLS handshake, and capture login credentials sent after the upgrade. The vulnerability affects apache-airflow-providers-smtp versions 2.0.0 through 2.x and is patched in version 3.0.0 or later. No public exploit code identified at time of analysis, but EPSS score of 0.01% indicates low real-world exploitation probability despite confidentiality impact.

Technical ContextAI

The vulnerability exists in the SmtpHook class (airflow.providers.smtp.hooks.smtp) which calls Python's smtplib.SMTP.starttls() method without passing an SSL context parameter. Per CWE-295 (Improper Certificate Validation), when no context is provided to starttls(), the Python standard library defaults to accepting any certificate without validation. The SMTP provider supports both synchronous (get_conn) and asynchronous (aget_conn) connection paths. The affected code path is triggered when connecting to SMTP servers using STARTTLS encryption (as opposed to SMTP_SSL, which already had proper context handling). The fix (PR #65346) introduces a _build_ssl_context() method that passes ssl.create_default_context() to starttls(), which validates the server certificate against the system's trusted CA bundle. A configuration option (email.ssl_context or connection extra ssl_context field) allows intentional opt-out for self-signed certificate scenarios.

RemediationAI

Upgrade to apache-airflow-providers-smtp version 3.0.0 or later, which includes the certificate validation fix. The patched version implements ssl.create_default_context() by default for STARTTLS connections, providing immediate protection without configuration changes. For deployments unable to upgrade immediately, certificate validation can be explicitly disabled by setting the connection extra field ssl_context to 'none' (via airflow.cfg email.ssl_context = 'none' for core email, or the SmtpHook connection object for provider usage), but this preserves the vulnerability and is recommended only for isolated test environments with self-signed SMTP servers. A more effective interim mitigation is network segmentation: restrict Airflow worker egress to only authorized SMTP servers via firewall rules, implement VPN or mTLS between workers and SMTP endpoints, or use SMTP_SSL (port 465) instead of STARTTLS (port 587) if the SMTP server supports it (this relies on the existing socket-level TLS rather than the vulnerable upgrade path). See vendor advisory at https://lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4 and GitHub PR https://github.com/apache/airflow/pull/65346 for implementation details.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-41016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy