Home Embedded Vulns General Vulns

CVE-2026-41016

MEDIUM 5.9

Our Analysis: General Purpose

Our model has classified this vulnerability as relevant to General Purpose Systems, helping your team prioritize efforts effectively.

Published Date April 30, 2026
Last Modified April 30, 2026
CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.

Potentially Affected Vendors