CVE-2026-41016 - Vulnerability Details - OpenCVE

Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/apache/airflow/pull/65346
https://lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4

History

Thu, 30 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.
Title		Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider
Weaknesses		CWE-295
References		https://github.com/apache/airflow/pull/65346 https://lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-30T09:09:45.529Z

Updated: 2026-04-30T13:17:14.490Z

Reserved: 2026-04-16T02:38:58.158Z

Link: CVE-2026-41016

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-30T10:16:01.930

Modified: 2026-04-30T10:16:01.930

Link: CVE-2026-41016

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41016", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-16T02:38:58.158Z", "datePublished": "2026-04-30T09:09:45.529Z", "dateUpdated": "2026-04-30T13:17:14.490Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow-providers-smtp", "product": "Apache Airflow Providers SMTP", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.0.0", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Francis Bergin (@francisbergin)"}, {"lang": "en", "type": "remediation developer", "value": "Jarek Potiuk"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix."}], "value": "Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-30T09:09:45.529Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/65346"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-30T13:16:50.020130Z", "id": "CVE-2026-41016", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T13:17:14.490Z"}}]}}