CVE-2026-41016 | THREATINT

Description

Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.

PUBLISHED Reserved 2026-04-16 | Published 2026-04-30 | Updated 2026-04-30 | Assigner apache

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status

unaffected

2.0.0 (semver) before 3.0.0

affected

Credits

Francis Bergin (@francisbergin) finder

Jarek Potiuk remediation developer

References

github.com/apache/airflow/pull/65346 patch

lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4 vendor-advisory

cve.org (CVE-2026-41016)

nvd.nist.gov (CVE-2026-41016)

Download JSON