Description
Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM — typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded.

This CVE covers the **core apache-airflow side** of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker.

Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Apache Airflow’s EmailOperator and the underlying email utilities, which establish SMTP STARTTLS connections without verifying the remote certificate when smtp_starttls is enabled but smtp_ssl is not. This is a CWE‑295 weakness (Improper Validation of Trust). This allows an attacker positioned between the Airflow worker and the SMTP relay to present a self‑signed or otherwise untrusted certificate, complete the STARTTLS handshake silently, and capture plaintext SMTP authentication credentials and any email payloads the worker forwards.

Affected Systems

All installations of Apache Airflow prior to version 3.2.2 that use the EmailOperator with smtp_starttls=True and smtp_ssl=False are affected. The issue is confined to the core airflow package; the provider side of the same weakness is addressed by CVE-2026-41016 in the apache-airflow-providers-smtp package.

Risk and Exploitability

An attacker can exploit this by performing a man‑in‑the‑middle between the Airflow worker and the SMTP server, which is a typical risk when the relay resides outside the worker’s trusted network segment. The vulnerability does not carry a KEV designation, has an EPSS score below 1%, and a CVSS score of 5.9 indicating moderate severity. The potential for credential theft and message interception suggests moderate risk when the affected configuration is in use.

Generated by OpenCVE AI on June 2, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or newer to apply the fix in airflow.utils.email
  • If upgrading immediately is not possible, disable STARTTLS by setting smtp_starttls=False or enable proper certificate validation via smtp_ssl=True
  • Move the SMTP relay into a trusted network segment or enforce strict outbound firewall rules to prevent unauthorized interception

Generated by OpenCVE AI on June 2, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 01 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM — typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded. This CVE covers the **core apache-airflow side** of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title Apache Airflow: No certificate validation on SMTP STARTTLS connections
Weaknesses CWE-295
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T16:42:48.781Z

Reserved: 2026-05-28T16:39:15.393Z

Link: CVE-2026-49267

cve-icon Vulnrichment

Updated: 2026-06-02T16:22:02.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:20.543

Modified: 2026-06-03T02:06:28.127

Link: CVE-2026-49267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T19:15:16Z

Weaknesses
  • CWE-295

    Improper Certificate Validation