Do Son 
TL;DR
The Python Software Foundation fixed a python.org authentication bypass on February 24, 2026. The flaw sat in the release management API. It let a request pass an admin username with any API key and gain admin rights.
Why this python.org authentication bypass matters
python.org serves download links to millions of developers. An attacker could not alter release files in place. However, they could change the URLs shown on the downloads page. That includes links to Sigstore and PGP verification material. As a result, the bug touched the software supply chain.
How the attack works
The release management API mixed two login modes. A guest request could supply an admin username with an arbitrary API key. The server then processed that request with admin privileges. DEVCORE researcher Splitline Ng reported the issue on February 23, 2026.
Affected systems
The flaw lived in the python.org web codebase, not in CPython itself. It had existed since 2014. Therefore, no Python package or local install needs patching. The fix runs entirely on Python’s own servers.
Exploitation status
The reporter supplied a working proof-of-concept to the security team. Still, audits of logs and database backups found no sign of abuse. As the team explains in its official advisory, the many downstream tools that verify signatures make silent exploitation unlikely.
Patch and hardening
Python deployed the fix within 48 hours of the report. The team also blocked URLs that do not start with python.org’s HTTPS domain. In addition, log retention grew from 3 to 30 days. Trail of Bits later audited the release process. Users should keep verifying Sigstore and PGP materials before trusting any build.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
