Vulnerability Discovery and Impact
A critical authentication bypass flaw in the python.org release management API could have allowed an attacker to impersonate administrators and manipulate download links for millions of users. Discovered by Splitline Ng of the DEVCORE Research Team and responsibly disclosed on February 23, 2026, the vulnerability had existed in the codebase since 2014. By supplying an admin username with an arbitrary API key, an attacker could forge requests with full administrative privileges. If exploited, a threat actor could alter release metadata, including URLs for Sigstore signatures and PGP keys, potentially facilitating a large scale supply chain attack on Python users and downstream distributors.
Patching and Hardening Measures
The Python Security Response Team confirmed the issue on a local instance and deployed a fix within 48 hours. By February 24th, the proof of concept was no longer functional. Post incident forensics found no evidence of exploitation, with audits of logs, database backups, and artifact signatures from Python 2.5 through 3.13 showing no anomalies. Additional hardening steps included URL validation rejecting any URLs not starting with https://www.python.org/, HTTPS enforcement from a Trail of Bits audit, new negative auth test cases, and extended log retention from 3 to 30 days. A subsequent third party audit by Trail of Bits, funded by OpenAI, confirmed no further authentication issues.
Source: Cyber Security News
