Insufficient Certificate Verification in Apache Airflow's EmailOperator
CVE-2026-49267

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-49267?

Apache Airflow's EmailOperator utilizes SMTP STARTTLS connections without proper verification of the remote certificate when configured with smtp_starttls=True and smtp_ssl=False. This oversight opens the door to potential man-in-the-middle attacks, where an attacker could intercept and exploit the connection by presenting a self-signed certificate. As a result, sensitive SMTP AUTH credentials and message content could be compromised. Users are urged to upgrade to Apache Airflow version 3.2.2 or later to ensure that these vulnerabilities are addressed adequately.

Affected Version(s)

Apache Airflow 2.0.0 < 3.2.2

References

https://github.com/apache/airflow/pull/65346

patch

https://lists.apache.org/thread/6v2ds757000msmjmovnnqryqz...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 28, 2026

Credit

Francis Bergin (@francisbergin)

Jarek Potiuk

CVE-2026-49267 Data

JSON