Description
Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.
Published: 2026-04-30
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises when the SmtpHook opens a STARTTLS session without providing an SSL context, disallowing server certificate validation. Consequently, an attacker positioned as a man‑in‑the‑middle can present a self‑signed certificate, complete the TLS handshake, and capture the SMTP credentials that Airflow subsequently sends during the login() operation.

Affected Systems

The flaw affects the Apache Airflow Providers SMTP package distributed by the Apache Software Foundation. Any deployment of Airflow that includes versions of the SMTP provider before the fix is vulnerable. Users should upgrade to the latest apache‑airflow‑providers‑smtp release where the certificate validation issue has been addressed.

Risk and Exploitability

The vulnerability leads to credential theft over TLS; it requires the attacker to be able to intercept the network traffic between the Airflow worker and the SMTP server. No public exploit appears available and the EPSS score of < 1% indicates a very low but non‑zero exploitation probability. The lack of certificate validation makes careful MITM attacks feasible. The CVSS score of 5.9 indicates medium severity, but given the potential for credential compromise, the risk warrants immediate remediation. The vulnerability is not yet listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 2, 2026 at 08:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest apache-airflow-providers-smtp release that includes the certificate validation fix
  • If an upgrade cannot be performed immediately, modify the SMTP hook to supply a valid SSL context or enforce certificate verification by custom code
  • Restrict network access so only trusted hosts can reach the SMTP server from Airflow workers

Generated by OpenCVE AI on May 2, 2026 at 08:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x8mh-94wc-33gv apache-airflow-providers-smtp: No certificate validation on SMTP STARTTLS connections in SMTP provider
History

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache airflow
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Vendors & Products Apache airflow

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow Providers Smtp
Vendors & Products Apache
Apache airflow Providers Smtp

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.
Title Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider
Weaknesses CWE-295
References

Subscriptions

Apache Airflow Airflow Providers Smtp
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-30T13:17:14.490Z

Reserved: 2026-04-16T02:38:58.158Z

Link: CVE-2026-41016

cve-icon Vulnrichment

Updated: 2026-04-30T13:17:11.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T10:16:01.930

Modified: 2026-05-01T17:54:49.593

Link: CVE-2026-41016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:15:16Z

Weaknesses