CVE-2026-49267
Analyzed Analyzed - Analysis Complete
SMTP Credential Leak in Apache Airflow via STARTTLS

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: Apache Software Foundation

Description
Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM β€” typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded. This CVE covers the **core apache-airflow side** of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-49267
EUVD
EUVD-2026-33594
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 2.0.0 (inc) to 3.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache Airflow occurs because the EmailOperator and the underlying email utilities establish SMTP STARTTLS connections without verifying the remote server's TLS certificate when configured with smtp_starttls=True and smtp_ssl=False.

An attacker positioned between the Airflow worker and the SMTP server (a man-in-the-middle attack) can present a self-signed certificate. Because the certificate is not validated, the worker completes the STARTTLS handshake silently, allowing the attacker to intercept SMTP authentication credentials and email message contents.

This issue is due to the lack of SSL context validation in the starttls() method calls, which by default do not verify certificates unless explicitly configured to do so.

The vulnerability affects deployments where the SMTP relay is reachable across a less-trusted network segment than the worker and where smtp_starttls is enabled without smtp_ssl.

Impact Analysis

If exploited, this vulnerability allows an attacker to intercept sensitive information such as SMTP authentication credentials and the contents of emails sent by Apache Airflow.

This can lead to unauthorized access to email accounts, exposure of confidential information, and potential further compromise of systems relying on those credentials.

The attack requires the attacker to be positioned on the network path between the Airflow worker and the SMTP server, which is a common risk in hostile or untrusted network environments.

Detection Guidance

This vulnerability involves SMTP STARTTLS connections established without verifying the remote certificate, which can be exploited by a man-in-the-middle (MITM) attacker. Detection would involve monitoring SMTP traffic for STARTTLS handshakes that do not validate certificates.

You can detect this vulnerability by capturing SMTP traffic between your Airflow workers and the SMTP server and inspecting whether the STARTTLS handshake is performed without proper certificate validation.

Suggested commands include using network packet capture tools such as tcpdump or Wireshark to monitor SMTP traffic on port 25 or 587 (depending on your SMTP configuration):

  • tcpdump -i <interface> -s 0 -w smtp_traffic.pcap port 25 or port 587
  • Use Wireshark to open the captured pcap file and analyze the SMTP STARTTLS handshake to check if certificate validation is occurring.

Additionally, reviewing Airflow configuration files for the settings `[email] smtp_starttls=True` and `[email] smtp_ssl=False` can help identify vulnerable deployments.

Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, which includes fixes to ensure SMTP STARTTLS connections validate remote certificates properly.

If you have already applied the fix for the SMTP provider component (CVE-2026-41016), you must also upgrade the core Apache Airflow package to cover the core-side path through `airflow.utils.email`.

Alternatively, you can configure Airflow to use an explicit SSL context that validates certificates by setting the `email.ssl_context` configuration in `airflow.cfg` or the `ssl_context` connection extra in the SMTP provider.

For environments using self-signed certificates, you can opt out of validation by setting the SSL context to "none", but this should be done with caution as it reduces security.

Also, consider reviewing your network architecture to ensure that SMTP relays are within trusted network boundaries to reduce exposure to MITM attacks.

Compliance Impact

This vulnerability allows an attacker positioned between the worker and the SMTP server to intercept SMTP AUTH credentials and email message contents by exploiting the lack of certificate validation during STARTTLS connections.

Such interception of sensitive data can lead to unauthorized access and disclosure of personal or protected information, which may violate data protection regulations like GDPR and HIPAA that require secure transmission and protection of sensitive data.

Therefore, deployments affected by this vulnerability risk non-compliance with these standards due to potential exposure of confidential information during email transmission.

Upgrading to Apache Airflow 3.2.2 or later, which enforces proper certificate validation, is necessary to mitigate this risk and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart