CVE-2026-41016
Received Received - Intake
SMTP Credential Theft via STARTTLS MITM in Apache Airflow

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: Apache Software Foundation

Description
Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41016
EUVD
EUVD-2026-26359
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 2.0.0 (inc) to 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache Airflow's SMTP provider occurs because the SMTP connection upgrade to TLS using the STARTTLS command does not validate the server's SSL certificate. Specifically, the SmtpHook calls Python's smtplib.SMTP.starttls() without providing an SSL context, which means no certificate validation is performed.

As a result, a man-in-the-middle (MITM) attacker could intercept the connection between the Airflow worker and the SMTP server, present a self-signed or malicious certificate, complete the TLS upgrade, and capture SMTP credentials sent during the subsequent login process.

The issue is fixed by introducing SSL context validation using Python's ssl.create_default_context(), which ensures certificates are validated against trusted Certificate Authorities during the STARTTLS upgrade.

Impact Analysis

This vulnerability can allow an attacker positioned between your Airflow worker and SMTP server to perform a man-in-the-middle attack.

By exploiting the lack of certificate validation during the TLS upgrade, the attacker can intercept and capture SMTP credentials sent during login.

Compromised SMTP credentials could lead to unauthorized access to your email server, potentially allowing the attacker to send or read emails, which may result in data leakage, phishing, or further compromise of your systems.

Detection Guidance

This vulnerability involves the lack of SSL certificate validation during the SMTP STARTTLS upgrade in Apache Airflow's SMTP provider. Detection would involve monitoring SMTP traffic between Airflow workers and SMTP servers to identify if STARTTLS is being used without proper SSL context validation.

One approach is to capture network traffic (e.g., using tcpdump or Wireshark) and inspect the SMTP STARTTLS handshake to see if a self-signed or invalid certificate is accepted without validation.

  • Use tcpdump to capture SMTP traffic on port 25 or 587: sudo tcpdump -i <interface> port 25 or port 587 -w smtp_traffic.pcap
  • Analyze the captured traffic with Wireshark to inspect the TLS handshake and certificate details.
  • Check Airflow logs for SMTP connection attempts and any warnings or errors related to TLS or certificate validation.

Since the vulnerability is due to missing SSL context in the starttls() call, reviewing the Airflow SMTP provider configuration and code to verify if SSL context is set can also help detect the issue.

Mitigation Strategies

The primary mitigation is to upgrade to a version of the apache-airflow-providers-smtp package that contains the fix, which ensures that the SMTP starttls() call uses an SSL context that validates server certificates.

If upgrading immediately is not possible, users can configure Airflow to use an SSL context explicitly by setting the `email.ssl_context` configuration option in `airflow.cfg` or by setting the `ssl_context` connection extra in the SMTP provider.

This configuration enforces certificate validation during the STARTTLS upgrade, preventing man-in-the-middle attacks that could intercept SMTP credentials.

Users relying on self-signed certificates can opt out of validation by setting `email.ssl_context` to "none", but this should be done with caution as it disables certificate validation.

Compliance Impact

This vulnerability allows a man-in-the-middle attacker to intercept SMTP credentials by exploiting the lack of certificate validation during the STARTTLS upgrade in Apache Airflow's SMTP provider. Such interception of credentials can lead to unauthorized access to sensitive information.

Because GDPR, HIPAA, and similar regulations require protection of sensitive data and secure transmission of credentials, this vulnerability could lead to non-compliance by exposing credentials and potentially sensitive email content to attackers.

The fix, which enforces SSL context validation during STARTTLS, helps ensure encrypted and authenticated SMTP connections, thereby supporting compliance with these standards by protecting credential confidentiality during transmission.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart