CVE-2026-49267 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Airflow with STARTTLS-enabled email configurations where SMTP relays traverse untrusted or semi-trusted networks, particularly those who applied the CVE-2026-41016 provider fix and assumed complete coverage.

Technical summary

When `[email] smtp_starttls=True` is configured without `[email] smtp_ssl`, Apache Airflow's `airflow.utils.email` helpers and the EmailOperator initiate STARTTLS but do not validate the remote SMTP server's certificate. A network MITM attacker can present an arbitrary certificate, complete the TLS handshake, and capture SMTP AUTH credentials plus email contents. The vulnerability exists in the core package separate from the SMTP provider path fixed under CVE-2026-41016. Resolution in apache-airflow 3.2.2 adds proper certificate verification to the STARTTLS code path.

Defensive priority

high

Recommended defensive actions

• Upgrade apache-airflow to version 3.2.2 or later to obtain certificate verification for STARTTLS connections in airflow.utils.email.
• If already patched for CVE-2026-41016 (apache-airflow-providers-smtp), confirm core package is also upgraded to 3.2.2+ as the provider fix does not cover the core utility path.
• Audit [email] configuration: if smtp_starttls=True and smtp_ssl=False, verify SMTP relay network path is either trusted or upgrade immediately.
• Review SMTP credentials for rotation if deployment was historically exposed to untrusted network segments.
• Monitor for unexpected certificate validation failures after upgrade, which may indicate previously accepted invalid certificates.

Evidence notes

CWE-295 (Certificate Validation Improper) assigned by [email protected]. Fix implemented in GitHub pull request. Apache security mailing list thread published. NVD status 'Undergoing Analysis' as of source capture.

Official resources