Intel

AIKIDO-2026-481629

apprise is vulnerable to Improper Certificate Validation

Improper Certificate Validation Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

45

Medium Risk

This Affects:

PYTHONapprise
0.0.1 - 1.11.0
Fixed in 1.12.0
Are you affected? Scan for Free

TL;DR

The email plugin opens SMTPS and STARTTLS connections without passing an ssl context, so smtplib falls back to an unverified stdlib context that does not validate the certificate chain or hostname. The URL-level verify_certificate setting, which defaults to enabled, is silently ignored for the SMTP TLS handshake, so a self-signed or hostname-mismatched certificate is accepted before credentials or message data are sent. An attacker able to intercept or redirect SMTP traffic can present an untrusted certificate, complete the handshake, and capture SMTP credentials and notification contents. The fix builds an ssl context from verify_certificate and passes it to both SMTP_SSL and starttls.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you send notifications over SMTPS or STARTTLS email (mailtos://) connections.

Background info

apprise is vulnerable to Improper Certificate Validation in versions 0.0.1 - 1.11.0.

How to fix this

Upgrade the apprise library to the patch version.