CVE-2026-41016— Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider

Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider

Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.

N/A

证书验证不恰当

Apache Airflow 信任管理问题漏洞

Apache Airflow是美国阿帕奇（Apache）基金会的一套具有创建、管理和监控工作流程功能的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow存在信任管理问题漏洞，该漏洞源于SmtpHook调用smtplib.SMTP.starttls()时未使用SSL上下文，未进行证书验证，可能导致中间人攻击者捕获SMTP凭据。

N/A

N/A