PYSEC-2026-24

Apache Airflow's SMTP provider SmtpHook called Python's smtplib.SMTP.starttls without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS...

CVE-2026-26077 Discourse doesn't ensure webhooks require a token

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...

The vulnerabilities of the Airflow SMTP Provider and Airflow IMAP Provider software, which are used for creating, monitoring, and orchestrating data processing scenarios in Airflow, allow attackers to gain unauthorized access to confidential data.

The vulnerabilities of the Airflow SMTP Provider and Airflow IMAP Provider, which are software components for creating, monitoring, and orchestrating data processing scenarios, are related to errors in the certificate validation process. Exploiting these vulnerabilities can allow an attacker to...

PT-2023-4588 · Openssl +1 · Openssl +3

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.7.0 Apache Airflow SMTP Provider versions prior to 1.3.0 Apache Airflow IMAP Provider versions prior to 3.3.0 Description: The issue is related to the validation of OpenSSL certificates. The default SSL...

Google: Gmail Users Should Have No Expectation of Privacy

Edward Snowden has done enough to highlight how vulnerable electronic communications are to surveillance and Gmail users should not expect privacy from Google. Lavabit is no more. Silent Circle has shuttered its secure email service. A California watchdog group says that Gmail users now have a...