PYSEC-2026-24

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-smtp/PYSEC-2026-24.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2026-24

Aliases

Published

2026-04-30T10:16:01.930Z

Modified

2026-05-22T13:26:18.133550405Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache Airflow's SMTP provider SmtpHook called Python's smtplib.SMTP.starttls() without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent login() call. Users are advised to upgrade to the apache-airflow-providers-smtp version that contains the fix.

References

Affected packages

PyPI / apache-airflow-providers-smtp

Package

Name: apache-airflow-providers-smtp; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow-providers-smtp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

3.0.0

Affected versions

2.*

2.0.0

2.0.1rc1

2.0.1

2.0.2rc1

2.0.2

2.0.3rc1

2.0.3

2.1.0rc1

2.1.0

2.1.1rc1

2.1.1

2.1.2rc1

2.1.2

2.2.0rc1

2.2.0

2.2.1rc1

2.2.1

2.3.0rc1

2.3.0

2.3.1rc1

2.3.1

2.3.2rc1

2.3.2

2.4.0rc1

2.4.0

2.4.1rc1

2.4.1

2.4.2rc1

2.4.2

2.4.3rc1

2.4.3

2.4.4rc1

2.4.4

2.4.5rc1

2.4.5

3.*

3.0.0rc1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-smtp/PYSEC-2026-24.yaml"