Critical Authentication Bypass Flaw in Python.org API Patched After Decade-Long Exposure
A severe authentication bypass vulnerability in Python.org’s release management API, present since 2014, was disclosed and patched in February 2026. The flaw, reported by Splitline Ng of the DEVCORE Research Team on February 23, could have allowed attackers to impersonate administrators by supplying an admin username with an arbitrary API key, granting full administrative privileges.
If exploited, the vulnerability would have enabled threat actors to alter Python release metadata, including download URLs and verification materials (Sigstore signatures and PGP keys) on python.org/downloads. While attackers could not directly modify release binaries, tampering with verification links could have facilitated large-scale supply chain attacks targeting Python users and downstream distributors globally.
The Python Security Response Team (PSRT) confirmed the flaw on a local instance and deployed a patch (python/pythondotorg#2946) within 48 hours, with DEVCORE verifying the fix by February 24. Post-incident forensics, including log audits and artifact signature verification across Python versions 2.5 to 3.13, found no evidence of exploitation.
Additional security measures were implemented to mitigate future risks:
- URL validation: Restricted to
https://www.python.org/to prevent malicious redirects. - HTTPS enforcement: Trail of Bits’ audit introduced a custom validator for HTTPS-only URLs in newer releases.
- Negative auth test cases: Expanded test coverage for authentication failures.
- Extended log retention: Increased from 3 to 30 days for improved auditing.
A third-party audit by Trail of Bits, funded by OpenAI and completed on June 1, confirmed no further authentication or authorization issues. Earlier LLM-assisted audits in April also returned no additional vulnerabilities.
Source: https://cybersecuritynews.com/critical-python-org-vulnerability/
Python Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/thepsf
Python System Design cybersecurity rating report: https://www.rankiteo.com/company/python
"id": "THEPYT1782476902",
"linkid": "thepsf, python",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Python users and downstream '
'distributors globally',
'industry': 'Software Development',
'location': 'Global',
'name': 'Python Software Foundation',
'type': 'Non-profit organization'}],
'attack_vector': 'API Exploitation',
'data_breach': {'sensitivity_of_data': 'High (potential supply chain attack '
'vector)',
'type_of_data_compromised': 'Release metadata (download URLs, '
'Sigstore signatures, PGP keys)'},
'date_detected': '2026-02-23',
'date_publicly_disclosed': '2026-02-23',
'date_resolved': '2026-02-24',
'description': 'A severe authentication bypass vulnerability in Python.org’s '
'release management API, present since 2014, was disclosed and '
'patched in February 2026. The flaw allowed attackers to '
'impersonate administrators by supplying an admin username '
'with an arbitrary API key, granting full administrative '
'privileges. This could have enabled threat actors to alter '
'Python release metadata, including download URLs and '
'verification materials, potentially facilitating large-scale '
'supply chain attacks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'supply chain attack risk',
'operational_impact': 'Potential supply chain attacks targeting '
'Python users and downstream distributors',
'systems_affected': 'Python.org release management API, Python '
'versions 2.5 to 3.13'},
'investigation_status': 'Completed',
'lessons_learned': 'Importance of extended log retention, URL validation, and '
'HTTPS enforcement in API security. Need for expanded test '
'coverage for authentication failures.',
'post_incident_analysis': {'corrective_actions': 'Patch deployment, URL '
'validation, HTTPS '
'enforcement, expanded test '
'coverage, extended log '
'retention, third-party '
'audit.',
'root_causes': 'Authentication bypass flaw in '
'Python.org’s release management '
'API due to insufficient validation '
'of admin credentials.'},
'recommendations': 'Implement stricter URL validation, enforce HTTPS-only '
'policies, expand negative test cases for authentication, '
'and increase log retention for auditing purposes.',
'references': [{'source': 'DEVCORE Research Team'},
{'source': 'Python Security Response Team (PSRT)'},
{'source': 'Trail of Bits Audit'}],
'response': {'containment_measures': 'Patch deployment '
'(python/pythondotorg#2946) within 48 '
'hours',
'enhanced_monitoring': 'Extended log retention from 3 to 30 days',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Log audits, artifact signature '
'verification, third-party audit',
'remediation_measures': 'URL validation, HTTPS enforcement, '
'expanded test coverage, extended log '
'retention',
'third_party_assistance': 'DEVCORE Research Team, Trail of Bits'},
'title': 'Critical Authentication Bypass Flaw in Python.org API',
'type': 'Authentication Bypass',
'vulnerability_exploited': 'Authentication Bypass in Python.org’s release '
'management API'}