Configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks.
The vulnerability has been patched in CKAN 2.10.10 and CKAN 2.11.5
"https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2026-2419.yaml"