PYSEC-2026-2346
Vulnerability from pysec - Published: 2026-07-13 15:35 - Updated: 2026-07-13 16:03Apache Airflow's EmailOperator and the underlying airflow.utils.email helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used [email] smtp_starttls=True without [email] smtp_ssl. An attacker positioned between the worker and the configured SMTP server (network MITM — typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded.
This CVE covers the core apache-airflow side of the same root cause already covered for the SMTP provider by CVE-2026-41016 (published 2026-04-27, covering apache-airflow-providers-smtp). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade apache-airflow to 3.2.2 or later to cover the core-side path through airflow.utils.email. Affects deployments configured with smtp_starttls=True and smtp_ssl=False where the SMTP relay is reachable across a less-trusted network segment than the worker.
Users are advised to upgrade to apache-airflow 3.2.2 or later.
| Name | purl | apache-airflow | pkg:pypi/apache-airflow |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow",
"purl": "pkg:pypi/apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.0",
"2.0.1",
"2.0.1rc1",
"2.0.1rc2",
"2.0.2",
"2.0.2rc1",
"2.1.0",
"2.1.0rc1",
"2.1.0rc2",
"2.1.1",
"2.1.1rc1",
"2.1.2",
"2.1.2rc1",
"2.1.3",
"2.1.3rc1",
"2.1.4",
"2.1.4rc1",
"2.1.4rc2",
"2.10.0",
"2.10.0b1",
"2.10.0b2",
"2.10.0rc1",
"2.10.1",
"2.10.1rc1",
"2.10.2",
"2.10.2rc1",
"2.10.3",
"2.10.3rc1",
"2.10.3rc2",
"2.10.4",
"2.10.4rc1",
"2.10.5",
"2.10.5rc1",
"2.11.0",
"2.11.0rc1",
"2.11.1",
"2.11.1rc1",
"2.11.1rc2",
"2.11.2",
"2.11.2rc1",
"2.2.0",
"2.2.0b1",
"2.2.0b2",
"2.2.0rc1",
"2.2.1",
"2.2.1rc1",
"2.2.1rc2",
"2.2.2",
"2.2.2rc1",
"2.2.2rc2",
"2.2.3",
"2.2.3rc1",
"2.2.3rc2",
"2.2.4",
"2.2.4rc1",
"2.2.5",
"2.2.5rc1",
"2.2.5rc2",
"2.2.5rc3",
"2.3.0",
"2.3.0b1",
"2.3.0rc1",
"2.3.0rc2",
"2.3.1",
"2.3.1rc1",
"2.3.2",
"2.3.2rc1",
"2.3.2rc2",
"2.3.3",
"2.3.3rc1",
"2.3.3rc2",
"2.3.3rc3",
"2.3.4",
"2.3.4rc1",
"2.4.0",
"2.4.0b1",
"2.4.0rc1",
"2.4.1",
"2.4.1rc1",
"2.4.2",
"2.4.2rc1",
"2.4.3",
"2.4.3rc1",
"2.5.0",
"2.5.0rc1",
"2.5.0rc2",
"2.5.0rc3",
"2.5.1",
"2.5.1rc1",
"2.5.1rc2",
"2.5.2",
"2.5.2rc1",
"2.5.2rc2",
"2.5.3",
"2.5.3rc1",
"2.5.3rc2",
"2.6.0",
"2.6.0b1",
"2.6.0rc1",
"2.6.0rc2",
"2.6.0rc3",
"2.6.0rc4",
"2.6.0rc5",
"2.6.1",
"2.6.1rc1",
"2.6.1rc2",
"2.6.1rc3",
"2.6.2",
"2.6.2rc1",
"2.6.2rc2",
"2.6.3",
"2.6.3rc1",
"2.7.0",
"2.7.0b1",
"2.7.0rc1",
"2.7.0rc2",
"2.7.1",
"2.7.1rc1",
"2.7.1rc2",
"2.7.2",
"2.7.2rc1",
"2.7.3",
"2.7.3rc1",
"2.8.0",
"2.8.0b1",
"2.8.0rc1",
"2.8.0rc2",
"2.8.0rc3",
"2.8.0rc4",
"2.8.1",
"2.8.1rc1",
"2.8.2",
"2.8.2rc1",
"2.8.2rc2",
"2.8.2rc3",
"2.8.3",
"2.8.3rc1",
"2.8.4",
"2.8.4rc1",
"2.9.0",
"2.9.0b1",
"2.9.0b2",
"2.9.0rc1",
"2.9.0rc2",
"2.9.0rc3",
"2.9.1",
"2.9.1rc1",
"2.9.1rc2",
"2.9.2",
"2.9.2rc1",
"2.9.3",
"2.9.3rc1",
"3.0.0",
"3.0.0b4",
"3.0.0rc1",
"3.0.0rc1.post1",
"3.0.0rc1.post2",
"3.0.0rc1.post3",
"3.0.0rc1.post4",
"3.0.0rc2",
"3.0.0rc3",
"3.0.0rc4",
"3.0.1",
"3.0.1rc1",
"3.0.2",
"3.0.2rc1",
"3.0.2rc2",
"3.0.3",
"3.0.3rc1",
"3.0.3rc2",
"3.0.3rc3",
"3.0.3rc4",
"3.0.3rc5",
"3.0.3rc6",
"3.0.4",
"3.0.4rc1",
"3.0.4rc2",
"3.0.5",
"3.0.5rc1",
"3.0.5rc2",
"3.0.5rc3",
"3.0.6",
"3.0.6rc1",
"3.0.6rc2",
"3.1.0",
"3.1.0b1",
"3.1.0b2",
"3.1.0rc1",
"3.1.0rc2",
"3.1.1",
"3.1.1rc1",
"3.1.1rc2",
"3.1.2",
"3.1.2rc1",
"3.1.2rc2",
"3.1.3",
"3.1.3rc1",
"3.1.4",
"3.1.4rc1",
"3.1.4rc2",
"3.1.5",
"3.1.5rc1",
"3.1.6",
"3.1.6rc1",
"3.1.7",
"3.1.7rc1",
"3.1.7rc2",
"3.1.8",
"3.1.8rc1",
"3.1.8rc2",
"3.2.0",
"3.2.0b1",
"3.2.0b2",
"3.2.0rc1",
"3.2.0rc2",
"3.2.1",
"3.2.1rc1",
"3.2.1rc2",
"3.2.1rc3",
"3.2.2rc1",
"3.2.2rc2",
"3.2.2rc3"
]
}
],
"aliases": [
"CVE-2026-49267",
"GHSA-799x-qp47-8qwq"
],
"details": "Apache Airflow\u0027s EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM \u2014 typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker\u0027s trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded.\n\nThis CVE covers the **core apache-airflow side** of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker.\n\nUsers are advised to upgrade to `apache-airflow` 3.2.2 or later.",
"id": "PYSEC-2026-2346",
"modified": "2026-07-13T16:03:26.189782Z",
"published": "2026-07-13T15:35:22.979724Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49267"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/65346"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/6v2ds757000msmjmovnnqryqzks83ps0"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/apache-airflow"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-799x-qp47-8qwq"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow has no certificate validation on SMTP STARTTLS connections"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.