CVE-2026-41016

UNKNOWN 0.0

Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.

CWE	CWE-295
Vendor	apache software foundation
Product	apache airflow providers smtp
Published	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow providers smtp

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache airflow providers smtp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow Providers SMTP

2.0.0 < 3.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/65346 lists.apache.org: https://lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4

Credits

Francis Bergin (@francisbergin) Jarek Potiuk