Critical python.org Vulnerability Allowed Attackers to Forge Admin-Level API Requests

HomeCyber Security Critical python.org Vulnerability Allowed Attackers to Forge Admin-Level API Requests By Guru Baran June 26, 2026 A critical authentication bypass vulnerability in the python.org release management API could have allowed attackers to impersonate administrators, potentially redirecting millions of users to malicious download URLs. The flaw, responsibly disclosed on February 23, 2026, by Splitline Ng of the DEVCORE Research Team, was patched within 48 hours of the initial report. The vulnerability resided in python.org’s release management API, where an attacker could supply an admin username paired with an arbitrary API key and have the request processed with full administrative privileges, a textbook authentication bypass. The flaw had silently existed in the codebase since 2014, spanning over a decade of Python releases. If exploited, a threat actor could have modified Python release and file metadata, altering the download URLs presented on python.org/downloads, including links to verification materials such as Sigstore signatures and PGP keys. While attackers could not directly modify release binaries in-place, tampering with verification URLs could have facilitated large-scale supply chain attacks targeting Python users and downstream distributors worldwide. Critical python.org Vulnerability The Python Security Response Team (PSRT) confirmed the vulnerability on a local instance and immediately coordinated a fix. Security Developer-in-Residence Seth Larson, alongside Hugo van Kemenade and Jacob Coffee, developed and deployed the patch (python/pythondotorg#2946) to production within 24 hours. By February 24th, DEVCORE confirmed that the proof of concept no longer functioned. Post-incident forensics showed no evidence of exploitation. PSRT audited logs, database backups, and verified all artifact signatures — both Sigstore and PGP from Python 2.5 through 3.13, finding no anomalies. Python 3.14 and later releases, which no longer provide PGP materials per PEP 761, were verified exclusively via Sigstore. Beyond patching the authentication logic, several additional security hardening steps were implemented: URL validation: The database and API now reject any URLs not beginning with https://www.python.org/, blocking attacker-controlled redirects even if authentication is bypassed HTTPS enforcement: Trail of Bits’ audit added a custom field validator requiring HTTPS URLs for newer releases (#3014) Negative auth test cases: New test coverage added for all authentication failure branches Extended log retention: Logging retention increased from 3 days to 30 days to support future audit work A third-party audit by Trail of Bits, funded by OpenAI, was completed on June 1st and confirmed the absence of any additional authentication or authorization issues. LLM-assisted auditing tools applied in April also returned clean results. Windows Secure Boot Certificates to Expire – What IT Teams Should Do Before the Deadline. Tags cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI/CD Pipelines Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials From Developers Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages Latest News Cyber Security News CL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments Cyber Security News Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages Cyber Security News Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2 Cyber Security CISA Warns of Cisco Unified CM Vulnerability Exploited in Attacks Cyber Security Microsoft Extends Windows 10 Security Updates for Users Up to October 2027