Medium severity5.9NVD Advisory· Published Apr 30, 2026· Updated May 1, 2026
CVE-2026-41016
CVE-2026-41016
Description
Apache Airflow's SMTP provider SmtpHook called Python's smtplib.SMTP.starttls() without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent login() call. Users are advised to upgrade to the apache-airflow-providers-smtp version that contains the fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-providers-smtpPyPI | >= 2.0.0, < 3.0.0 | 3.0.0 |
Affected products
3- osv-coords2 versions
< 3.2.1-r4+ 1 more
- (no CPE)range: < 3.2.1-r4
- (no CPE)range: < 3.2.1-r4
Patches
Vulnerability mechanics
References
5- github.com/apache/airflow/pull/65346nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-x8mh-94wc-33gvghsaADVISORY
- lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4nvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41016ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow-providers-smtp/PYSEC-2026-24.yamlghsaWEB
News mentions
0No linked articles in our index yet.