SMTP Provider Vulnerability in Apache Airflow
CVE-2026-41016

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow Providers Smtp
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-41016?

A vulnerability in Apache Airflow's SMTP provider arises from the lack of SSL context when calling the smtplib.SMTP.starttls() method. This oversight allows a man-in-the-middle attacker to exploit the TLS upgrade process by presenting a self-signed certificate, enabling them to intercept the SMTP credentials sent during subsequent authentication attempts. Users are encouraged to update to the latest version of the apache-airflow-providers-smtp package to mitigate this risk and ensure secure email communication.

Affected Version(s)

Apache Airflow Providers SMTP 2.0.0 < 3.0.0

References

https://github.com/apache/airflow/pull/65346

patch

https://lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Francis Bergin (@francisbergin)

Jarek Potiuk

CVE-2026-41016 Data

JSON