Python.org patched admin-level API bypass in release management system

Python.org patched admin-level API bypass in release management system

A critical flaw in the Python.org release management API allowed an attacker to submit an admin username with any API key and gain full privileges. The bug had existed since 2014. Impact was limited to release and file metadata, including download URLs and Sigstore/PGP verification links. PSRT says no evidence of exploitation was found after log, database, and signature review.

The issue maps directly to software supply chain exposure: attackers could not alter hosted binaries, but could have redirected users and automated systems to malicious downloads if verification controls failed or were skipped. Python deployed a fix within 48 hours and added stricter URL validation, HTTPS enforcement, and longer log retention.

️ Open sources - closed narratives

@sitreports

Source: Telegram "sitreports"