logo

Python Patches python.org API Authentication Bypass Flaw

ID: a895206c-2723-5066-ab16-6455a076087e

STIX ID: report--a895206c-2723-5066-ab16-6455a076087e

Feed Name: securityonline.info

Threat Score
45/100

Date Published: 2026-06-26

Date Updated: 2026-06-26

Author: Do Son

...
...

Python.org patched an authentication bypass in its release management API on 2026-02-24 that permitted requests presenting an admin username with any API key to be treated as admin, enabling attackers to change download-page URLs (including links to Sigstore and PGP verification materials) and thus posing a supply-chain risk. A researcher supplied a working proof-of-concept, audits found no signs of abuse, and mitigations (URL domain restrictions, increased log retention, and an audit of the release process) were implemented quickly.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.