Python.org download metadata API authentication bypass fixed

An authentication bypass vulnerability in the python.org release management API allowed an attacker to process requests with admin privileges by supplying an arbitrary API key with an admin username. This could have led to modification of Python release and file metadata, specifically the URLs offered for download and verification materials. The issue was reported on February 23rd, 2026, and a patch was deployed within 48 hours, with subsequent audits confirming no evidence of exploitation. The vulnerability had existed in the codebase since 2014.

The codebase was manually audited, and additional hardening was applied to prevent the circumvention of authentication or authorization. Specifically, the database and API now reject URLs that do not start with "https://www.python.org/". Logging retention for requests to python.org was also increased from 3 days to 30 days to aid in future audit work.

A third-party audit was performed by Trail of Bits, improving functionality to require HTTPS URLs for newer releases through a custom field validator. Additionally, LLM auditing tools were used to scan the codebase, which did not find additional issues related to authentication or authorization. Enhanced test cases for negative authentication branches were also added.