MITM via missing TLS cert check in Apache Airflow SMTP Hook
CVE-2026-41016 Published on April 30, 2026
Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider
Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.
Vulnerability Analysis
CVE-2026-41016 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Products Associated with CVE-2026-41016
Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Airflow Providers SMTP:- Version 2.0.0 and below 3.0.0 is affected.