GHSA-799x-qp47-8qwq
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 4 pypi packages depend on apache-airflow (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.0.
Description PRE-NVD
AnalysisAI
Missing certificate validation during SMTP STARTTLS negotiation in Apache Airflow 2.0.0 through 3.2.1 exposes email traffic to man-in-the-middle interception. Both the core email utility (airflow.utils.email.send_email) and the SMTP provider hook (SmtpHook.get_conn, SmtpHook.aget_conn) called starttls() without an SSL context, causing Python's smtplib to accept any server certificate unconditionally. An unauthenticated network-adjacent attacker who can intercept traffic between the Airflow instance and its configured SMTP relay can present a fraudulent TLS certificate, successfully complete the upgrade handshake, and read all outbound email content in cleartext. No public exploit identified at time of analysis and EPSS is 0.01%, but the impact class is high confidentiality loss per CVSS.
Technical ContextAI
CWE-295 (Improper Certificate Validation) is the root cause. Python's smtplib.SMTP.starttls() accepts an optional context parameter; when called without one it creates a bare SSLContext that does not validate the server's certificate chain or hostname. The fix, introduced in PR #65346, adds a _get_ssl_context() helper (airflow-core) and _build_ssl_context() method (SMTP provider) that call ssl.create_default_context(), which validates against the system's trusted CA bundle and enforces hostname checking. Previously the email.ssl_context configuration option only governed the SMTP_SSL path; after the fix it also governs STARTTLS. Affected CPE covers Apache Airflow versions 2.0.0 through 3.2.1 (EUVD: Apache Airflow 2.0.0 < 3.2.2). Both synchronous and async SMTP code paths (get_conn and aget_conn) were vulnerable.
RemediationAI
Upgrade Apache Airflow to version 3.2.2 or later, which is the vendor-released patch addressing this vulnerability per EUVD-2026-33594. The upstream fix is confirmed in GitHub PR #65346 (https://github.com/apache/airflow/pull/65346). After upgrading, the STARTTLS path defaults to ssl.create_default_context(), validating certificates against the system CA bundle. If the deployment intentionally connects to an SMTP server using a self-signed or non-publicly-trusted certificate and upgrading immediately is not feasible, the certificate validation behavior can be preserved as a temporary workaround by setting email.ssl_context = none in airflow.cfg for core email, or by setting the ssl_context connection extra to none in the SMTP connection definition for SmtpHook - however, this explicitly disables all certificate validation and should only be used with a trusted internal SMTP relay over an already-controlled network segment, not as a permanent configuration. The trade-off is clear: setting ssl_context = none re-introduces the original vulnerability.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33594