Python Patches python.org API Authentication Bypass Flaw
ID: a895206c-2723-5066-ab16-6455a076087e
STIX ID: report--a895206c-2723-5066-ab16-6455a076087e
Feed Name: securityonline.info
Python.org patched an authentication bypass in its release management API on 2026-02-24 that permitted requests presenting an admin username with any API key to be treated as admin, enabling attackers to change download-page URLs (including links to Sigstore and PGP verification materials) and thus posing a supply-chain risk. A researcher supplied a working proof-of-concept, audits found no signs of abuse, and mitigations (URL domain restrictions, increased log retention, and an audit of the release process) were implemented quickly.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
