CVE-2026-49267 Overview
CVE-2026-49267 affects Apache Airflow's EmailOperator and the underlying airflow.utils.email helper functions. The vulnerability stems from missing TLS certificate validation when establishing SMTP STARTTLS connections. Deployments configured with [email] smtp_starttls=True and [email] smtp_ssl=False complete the STARTTLS handshake without verifying the remote SMTP server certificate. An attacker positioned between the Airflow worker and the SMTP relay can present a self-signed certificate, intercept the AUTH exchange, and capture both SMTP credentials and message contents. This issue is the core-side counterpart to CVE-2026-41016, which addressed the same root cause in apache-airflow-providers-smtp.
Critical Impact
A network-positioned attacker can silently intercept SMTP credentials and email contents forwarded by Airflow workers when STARTTLS is enabled without explicit SSL configuration.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Deployments using EmailOperator with smtp_starttls=True and smtp_ssl=False
- Workers communicating with SMTP relays across less-trusted network segments
Discovery Timeline
- 2026-06-01 - CVE-2026-49267 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-49267
Vulnerability Analysis
The flaw is an Improper Certificate Validation issue [CWE-295] in Apache Airflow's email-sending code path. When airflow.utils.email initiates an SMTP connection and smtp_starttls=True is set without smtp_ssl=True, the worker upgrades the plaintext SMTP session to TLS via STARTTLS. The upgrade succeeds against any certificate presented by the remote endpoint, including self-signed certificates from unauthorized hosts. The worker then proceeds with SMTP AUTH and message transmission over the attacker-controlled TLS channel.
This vulnerability is the core-apache-airflow instance of the same defect previously patched in the SMTP provider package under CVE-2026-41016. Operators who applied only the provider-side fix remain exposed through the airflow.utils.email helpers invoked by EmailOperator and related task callbacks.
Root Cause
The SMTP client code constructs a TLS context that omits server certificate verification and hostname checking. STARTTLS negotiation completes without validating the certificate chain against trusted certificate authorities. The defect classifies under [CWE-295] Improper Certificate Validation.
Attack Vector
Exploitation requires network-adjacent positioning between the Airflow worker and the configured SMTP relay. The attacker intercepts the initial plaintext SMTP banner, responds to the STARTTLS command, and presents a self-signed certificate during the TLS upgrade. The worker accepts the certificate, transmits SMTP AUTH credentials, and forwards email contents over the attacker-terminated TLS session. The high attack complexity reflects the requirement for an active man-in-the-middle (MITM) position on the network path. Refer to the Apache Airflow Pull Request for the patch implementation and the Apache Mailing List Thread for the advisory text.
Detection Methods for CVE-2026-49267
Indicators of Compromise
- Unexpected certificate fingerprints presented by hosts answering on TCP/25, TCP/465, or TCP/587 from Airflow worker subnets
- ARP table anomalies or routing changes between Airflow workers and the configured SMTP relay
- SMTP authentication failures on the legitimate relay coinciding with successful auth from worker logs
Detection Strategies
- Inspect outbound SMTP traffic from Airflow workers and compare TLS certificate fingerprints against the expected SMTP relay certificate
- Audit Airflow configuration files for smtp_starttls=True combined with smtp_ssl=False across environments
- Review worker task logs for EmailOperator invocations and correlate destination SMTP host metadata
Monitoring Recommendations
- Enable network flow logging for egress traffic from Airflow worker nodes to SMTP destinations
- Alert on new or changed TLS certificates observed on SMTP server connections from CI/data-pipeline subnets
- Track Airflow version inventory and flag instances running apache-airflow below 3.2.2
How to Mitigate CVE-2026-49267
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later on all scheduler, worker, and webserver nodes
- Confirm apache-airflow-providers-smtp is patched against CVE-2026-41016 as a separate dependency
- Rotate any SMTP credentials used by Airflow workers that transit untrusted network segments
Patch Information
Apache released the fix in apache-airflow 3.2.2. The change enforces certificate validation during STARTTLS negotiation in airflow.utils.email. Implementation details are available in the Apache Airflow Pull Request #65346.
Workarounds
- Set [email] smtp_ssl=True to use implicit TLS on port 465 instead of STARTTLS, bypassing the vulnerable upgrade path
- Route SMTP traffic exclusively over trusted network segments where MITM positioning is not feasible
- Replace EmailOperator usage with a notification mechanism that does not transit SMTP, such as an internal HTTPS webhook
# Configuration example: airflow.cfg adjustments
[email]
email_backend = airflow.utils.email.send_email_smtp
[smtp]
smtp_host = smtp.internal.example.com
smtp_starttls = False
smtp_ssl = True
smtp_port = 465
smtp_user = airflow-notify
smtp_password = <rotated-credential>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
