MEDIUM 5.9

CVE-2026-49267: Apache Airflow EmailOperator STARTTLS Certificate Verification Bypass

Apache Airflow's EmailOperator and email utilities fail to validate the SMTP server's certificate when configured to use STARTTLS encryption without full SSL/TLS. This allows an attacker on the network between your Airflow worker and SMTP server to intercept the connection, inject a fraudulent certificate, and steal login credentials and email contents without detection. The risk is elevated in environments where the SMTP relay sits outside your trusted network perimeter.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-295
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM — typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded. This CVE covers the **core apache-airflow side** of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49267 addresses improper certificate verification in Apache Airflow's core email handling when smtp_starttls=True and smtp_ssl=False. The STARTTLS protocol upgrade occurs without hostname or certificate chain validation, enabling a network-positioned attacker to perform a man-in-the-middle attack. The worker completes the handshake with an attacker-controlled certificate, allowing capture of SMTP AUTH credentials and message payloads. This is the core-side equivalent of CVE-2026-41016, which separately covered the same flaw in the apache-airflow-providers-smtp package.

Business impact

Email-dependent Airflow workflows transmit database credentials, API tokens, and business-critical alerts through SMTP. Compromise of those credentials via MITM interception can lead to unauthorized access to downstream systems and data exfiltration. Organizations relying on Airflow for notification pipelines may unknowingly be exposing sensitive authentication material if their SMTP infrastructure spans untrusted network boundaries.

Affected systems

Apache Airflow versions prior to 3.2.2 are vulnerable when deployed with [email] smtp_starttls=True and [email] smtp_ssl=False. Specifically, the airflow.utils.email module and EmailOperator are affected. Deployments using smtp_ssl=True alone, or those not using STARTTLS, are unaffected. The vulnerability does not affect the separate SMTP provider package (apache-airflow-providers-smtp); however, users should verify they have applied CVE-2026-41016 patches to that provider as well.

Exploitability

Exploitation requires network positioning between the Airflow worker and SMTP server—a realistic threat in environments where the email relay is located on a separate network segment, DMZ, or cloud provider. No special credentials, authentication, or user interaction are required once the attacker is on-path. The attack is silent; the worker has no indication the certificate was invalid. CVSS score 5.9 (MEDIUM) reflects the high confidentiality impact but limited integrity risk, and the prerequisite requirement that the attacker occupy an advantageous network position (AC:H).

Remediation

Upgrade Apache Airflow to version 3.2.2 or later, which adds proper certificate verification to the STARTTLS code path. Additionally, users should audit their [email] configuration to determine whether smtp_starttls and smtp_ssl settings align with their threat model. Consider using smtp_ssl=True (direct TLS) for greater protocol security and simplicity. If STARTTLS is required, ensure the SMTP relay and workers occupy the same trusted network boundary, or deploy a VPN/mTLS tunnel to isolate the connection.

Patch guidance

Apply Apache Airflow 3.2.2 or later from the official Apache repository. Verify the patch by checking airflow.__version__ post-upgrade. If you also use apache-airflow-providers-smtp, apply the fix for CVE-2026-41016 (published 2026-04-27) to close the provider-side code path. Test the upgrade in a non-production environment to confirm email functionality and SMTP connectivity before rolling out to production workers.

Detection guidance

Monitor SMTP connection logs and TLS/SSL handshake records on your SMTP relay for unexpected certificate errors or mismatches from your Airflow worker IP addresses. Enable debug logging in Airflow's email module (set log_level to DEBUG) and inspect logs for certificate validation warnings or errors. Network-level detection via TLS certificate pinning or mutual TLS (mTLS) between worker and relay can prevent MITM attacks entirely. Correlate sudden changes in SMTP AUTH failure rates with security events or network topology changes.

Why prioritize this

This vulnerability should be prioritized for environments where SMTP relays are located outside the worker's immediate network trust zone. Organizations using Airflow to dispatch alerts, notifications, or secrets to downstream systems face elevated risk of credential theft. The CVSS score is MEDIUM but confidentiality impact is HIGH; the primary barrier to exploitation is network position, not technical complexity. Patch within your next scheduled maintenance window, or immediately if your SMTP infrastructure is internet-facing or on an untrusted network segment.

Risk score, explained

CVSS 5.9 (MEDIUM) reflects a confidentiality impact score of HIGH—exposed credentials and message content carry real risk—balanced against the requirement that an attacker be network-positioned between worker and SMTP server (AC:H, AV:N). Integrity and availability are not impacted, as the attacker observes rather than modifies traffic. The score does not account for business context; organizations using Airflow in high-value notification or data-pipeline roles should treat this as a higher operational priority despite the MEDIUM baseline.

Frequently asked questions

Do I need to patch if my Airflow workers and SMTP relay are on the same internal network?

The vulnerability requires a network-positioned attacker. If your SMTP relay is on the same isolated internal network segment as your workers, the attack surface is constrained. However, best practice is to patch regardless, as network topologies change and defense-in-depth assumes no single trust boundary is impenetrable.

I use smtp_ssl=True, not smtp_starttls. Am I affected?

No. This vulnerability is specific to the STARTTLS code path when smtp_starttls=True and smtp_ssl=False. Direct TLS (smtp_ssl=True) validates certificates by default and is not affected by CVE-2026-49267.

Do I need to rotate SMTP credentials after patching?

Yes. If your deployment was vulnerable and your SMTP relay is not isolated to a fully trusted network, assume credentials may have been harvested. Rotate SMTP AUTH passwords and any secrets that were transmitted via email before patching. Review email logs for unusual activity.

CVE-2026-41016 fixed the SMTP provider. Do I still need to patch core Airflow?

Yes. CVE-2026-41016 fixed the apache-airflow-providers-smtp package, which is a separate code path. This CVE covers the core airflow.utils.email module and EmailOperator in the main apache-airflow package. You must apply both patches to fully remediate the vulnerability across all email code paths.

This analysis is provided for informational purposes to support vulnerability assessment and patch planning. It does not constitute professional security advice. Organizations should verify all patch versions, compatibility, and remediation steps against official Apache Airflow security advisories and their own change-management processes. Testing in non-production environments is mandatory before production deployment. SEC.co and its analysts assume no liability for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).