CVE-2026-41016
SMTP Credential Theft via STARTTLS MITM in Apache Airflow
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 2.0.0 (inc) to 3.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Airflow's SMTP provider occurs because the SMTP connection upgrade to TLS using the STARTTLS command does not validate the server's SSL certificate. Specifically, the SmtpHook calls Python's smtplib.SMTP.starttls() without providing an SSL context, which means no certificate validation is performed.
As a result, a man-in-the-middle (MITM) attacker could intercept the connection between the Airflow worker and the SMTP server, present a self-signed or malicious certificate, complete the TLS upgrade, and capture SMTP credentials sent during the subsequent login process.
The issue is fixed by introducing SSL context validation using Python's ssl.create_default_context(), which ensures certificates are validated against trusted Certificate Authorities during the STARTTLS upgrade.
How can this vulnerability impact me? :
This vulnerability can allow an attacker positioned between your Airflow worker and SMTP server to perform a man-in-the-middle attack.
By exploiting the lack of certificate validation during the TLS upgrade, the attacker can intercept and capture SMTP credentials sent during login.
Compromised SMTP credentials could lead to unauthorized access to your email server, potentially allowing the attacker to send or read emails, which may result in data leakage, phishing, or further compromise of your systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the lack of SSL certificate validation during the SMTP STARTTLS upgrade in Apache Airflow's SMTP provider. Detection would involve monitoring SMTP traffic between Airflow workers and SMTP servers to identify if STARTTLS is being used without proper SSL context validation.
One approach is to capture network traffic (e.g., using tcpdump or Wireshark) and inspect the SMTP STARTTLS handshake to see if a self-signed or invalid certificate is accepted without validation.
- Use tcpdump to capture SMTP traffic on port 25 or 587: sudo tcpdump -i <interface> port 25 or port 587 -w smtp_traffic.pcap
- Analyze the captured traffic with Wireshark to inspect the TLS handshake and certificate details.
- Check Airflow logs for SMTP connection attempts and any warnings or errors related to TLS or certificate validation.
Since the vulnerability is due to missing SSL context in the starttls() call, reviewing the Airflow SMTP provider configuration and code to verify if SSL context is set can also help detect the issue.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade to a version of the apache-airflow-providers-smtp package that contains the fix, which ensures that the SMTP starttls() call uses an SSL context that validates server certificates.
If upgrading immediately is not possible, users can configure Airflow to use an SSL context explicitly by setting the `email.ssl_context` configuration option in `airflow.cfg` or by setting the `ssl_context` connection extra in the SMTP provider.
This configuration enforces certificate validation during the STARTTLS upgrade, preventing man-in-the-middle attacks that could intercept SMTP credentials.
Users relying on self-signed certificates can opt out of validation by setting `email.ssl_context` to "none", but this should be done with caution as it disables certificate validation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a man-in-the-middle attacker to intercept SMTP credentials by exploiting the lack of certificate validation during the STARTTLS upgrade in Apache Airflow's SMTP provider. Such interception of credentials can lead to unauthorized access to sensitive information.
Because GDPR, HIPAA, and similar regulations require protection of sensitive data and secure transmission of credentials, this vulnerability could lead to non-compliance by exposing credentials and potentially sensitive email content to attackers.
The fix, which enforces SSL context validation during STARTTLS, helps ensure encrypted and authenticated SMTP connections, thereby supporting compliance with these standards by protecting credential confidentiality during transmission.