CVE-2026-49267
SMTP Credential Leak in Apache Airflow via STARTTLS
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache-airflow | From 3.2.2 (inc) |
| apache | apache_airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Airflow occurs because the EmailOperator and the underlying email utilities establish SMTP STARTTLS connections without verifying the remote server's TLS certificate when configured with smtp_starttls=True and smtp_ssl=False.
An attacker positioned between the Airflow worker and the SMTP server (a man-in-the-middle attack) can present a self-signed certificate. Because the certificate is not validated, the worker completes the STARTTLS handshake silently, allowing the attacker to intercept SMTP authentication credentials and email message contents.
This issue is due to the lack of SSL context validation in the starttls() method calls, which by default do not verify certificates unless explicitly configured to do so.
The vulnerability affects deployments where the SMTP relay is reachable across a less-trusted network segment than the worker and where smtp_starttls is enabled without smtp_ssl.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to intercept sensitive information such as SMTP authentication credentials and the contents of emails sent by Apache Airflow.
This can lead to unauthorized access to email accounts, exposure of confidential information, and potential further compromise of systems relying on those credentials.
The attack requires the attacker to be positioned on the network path between the Airflow worker and the SMTP server, which is a common risk in hostile or untrusted network environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SMTP STARTTLS connections established without verifying the remote certificate, which can be exploited by a man-in-the-middle (MITM) attacker. Detection would involve monitoring SMTP traffic for STARTTLS handshakes that do not validate certificates.
You can detect this vulnerability by capturing SMTP traffic between your Airflow workers and the SMTP server and inspecting whether the STARTTLS handshake is performed without proper certificate validation.
Suggested commands include using network packet capture tools such as tcpdump or Wireshark to monitor SMTP traffic on port 25 or 587 (depending on your SMTP configuration):
- tcpdump -i <interface> -s 0 -w smtp_traffic.pcap port 25 or port 587
- Use Wireshark to open the captured pcap file and analyze the SMTP STARTTLS handshake to check if certificate validation is occurring.
Additionally, reviewing Airflow configuration files for the settings `[email] smtp_starttls=True` and `[email] smtp_ssl=False` can help identify vulnerable deployments.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, which includes fixes to ensure SMTP STARTTLS connections validate remote certificates properly.
If you have already applied the fix for the SMTP provider component (CVE-2026-41016), you must also upgrade the core Apache Airflow package to cover the core-side path through `airflow.utils.email`.
Alternatively, you can configure Airflow to use an explicit SSL context that validates certificates by setting the `email.ssl_context` configuration in `airflow.cfg` or the `ssl_context` connection extra in the SMTP provider.
For environments using self-signed certificates, you can opt out of validation by setting the SSL context to "none", but this should be done with caution as it reduces security.
Also, consider reviewing your network architecture to ensure that SMTP relays are within trusted network boundaries to reduce exposure to MITM attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker positioned between the worker and the SMTP server to intercept SMTP AUTH credentials and email message contents by exploiting the lack of certificate validation during STARTTLS connections.
Such interception of sensitive data can lead to unauthorized access and disclosure of personal or protected information, which may violate data protection regulations like GDPR and HIPAA that require secure transmission and protection of sensitive data.
Therefore, deployments affected by this vulnerability risk non-compliance with these standards due to potential exposure of confidential information during email transmission.
Upgrading to Apache Airflow 3.2.2 or later, which enforces proper certificate validation, is necessary to mitigate this risk and help maintain compliance.