CVE-2026-41016: apache-airflow-providers-smtp: No certificate validation on SMTP STARTTLS connections in SMTP provider

April 30, 2026 (updated May 22, 2026)

Apache Airflow’s SMTP provider SmtpHook called Python’s smtplib.SMTP.starttls() without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent login() call. Users are advised to upgrade to the apache-airflow-providers-smtp version that contains the fix.

References

github.com/advisories/GHSA-x8mh-94wc-33gv
github.com/apache/airflow/pull/65346
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow-providers-smtp/PYSEC-2026-24.yaml
lists.apache.org/thread/gb202qy5r31bgdd3d51d7s5o1jh40kc4
nvd.nist.gov/vuln/detail/CVE-2026-41016

Code Behaviors & Features

Detect and mitigate CVE-2026-41016 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →