Primary

Context

Apache Airflow SMTP Provider SmtpHook STARTTLS Certificate Validation Vulnerability

Vulnerability

Patched

A vulnerability exists in Apache Airflow's SMTP provider, specifically in the SmtpHook component, versions 2.0.0 prior to 3.0.0. The issue arises because the SmtpHook calls Python's smtplib.SMTP.starttls() without an SSL context, leading to a lack of certificate validation during the TLS upgrade. This flaw allows a man-in-the-middle attacker to intercept the connection between the Airflow worker and the SMTP server, present a self-signed certificate, complete the STARTTLS upgrade, and capture SMTP credentials during the subsequent login() call.

Impact

Exploitation of this vulnerability could result in the interception of SMTP credentials by a man-in-the-middle attacker.

Remediation

Users are advised to upgrade to the version of apache-airflow-providers-smtp that includes the fix.

Added: Apr 30, 2026, 10:22 AM

Updated: Apr 30, 2026, 10:22 AM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

6.5

remediation

7.7

relevance

7.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

6.5

remediation

7.7

relevance

7.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow SMTP Provider SmtpHook STARTTLS Certificate Validation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

apache-airflow-providers-smtp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating