Apache Airflow's EmailOperator and the underlying "airflow.utils.email" helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used "[email] smtp_starttls=True" without "[email] smtp_ssl". An attacker positioned between the worker and the configured SMTP server (network MITM — typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded. This CVE covers the core apache-airflow side of the same root cause already covered for the SMTP provider by "CVE-2026-41016" (published 2026-04-27, covering "apache-airflow-providers-smtp"). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade "apache-airflow" to 3.2.2 or later to cover the core-side path through "airflow.utils.email". Affects deployments configured with "smtp_starttls=True" and "smtp_ssl=False" where the SMTP relay is reachable across a less-trusted network segment than the worker. Users are advised to upgrade to "apache-airflow" 3.2.2 or later.