A significant security flaw within the Python.org release management API was recently uncovered, posing a risk that could have enabled attackers to forge administrator-level API requests. This vulnerability threatened to redirect users to harmful download links, impacting millions of Python users globally.
Discovering and Addressing the Vulnerability
The vulnerability was responsibly disclosed on February 23, 2026, by Splitline Ng from the DEVCORE Research Team. Within 48 hours, the Python Security Response Team (PSRT) had addressed the issue, ensuring the platform’s safety. The flaw allowed an attacker to use an arbitrary API key alongside an administrative username to gain unauthorized access, a classic case of authentication bypass.
This vulnerability had gone unnoticed since 2014, affecting over a decade’s worth of Python releases. If exploited, it could have enabled attackers to manipulate Python release metadata, modify download URLs, and potentially compromise verification materials, posing a risk of large-scale supply chain attacks.
Immediate Security Measures Implemented
Upon confirming the vulnerability, PSRT swiftly implemented a fix. Security Developer-in-Residence Seth Larson, along with Hugo van Kemenade and Jacob Coffee, developed a patch that was deployed within 24 hours. By February 24th, DEVCORE verified that the vulnerability was effectively neutralized.
Comprehensive forensics followed the incident, revealing no evidence of any exploitation attempts. The team’s audits of logs, databases, and artifact signatures from Python 2.5 to 3.13 showed no anomalies. Python 3.14 and subsequent versions were verified using Sigstore in light of the latest PEP 761 standards.
Enhanced Security and Future Outlook
Beyond the immediate patch, additional security measures were enforced. These included URL validation to prevent unauthorized redirects, HTTPS enforcement for newer releases, and expanded test coverage for authentication failures. Log retention was also increased to support future audits.
A third-party audit by Trail of Bits, supported by OpenAI, confirmed the absence of further authentication or authorization issues. This audit, completed on June 1st, along with LLM-assisted tools used in April, validated the security of the platform.
The swift response and comprehensive measures taken by PSRT underscore the importance of proactive security management in software development. By addressing the vulnerability promptly, Python.org has reinforced its commitment to maintaining a secure environment for its global user base.
