Skip to content

Commit 1d9c651

Browse files
committed
Absolute HTTPs URLs
1 parent 5a6d4d1 commit 1d9c651

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

  • content/posts/mitigated-api-bypass-for-download-metadata-python-dot-org

content/posts/mitigated-api-bypass-for-download-metadata-python-dot-org/index.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ published: true
1313

1414
On February 23rd 2026, Splitline Ng from the DEVCORE Research Team reported to the [Python Security Response Team](https://devguide.python.org/security/psrt/) (PSRT) an authentication bypass vulnerability in the [python.org](https://python.org) release management API. By supplying an admin username with an arbitrary API key the request was processed with admin privileges.
1515

16-
If exploited, this would have allowed an attacker to modify Python release and file metadata that affects what URLs users are offered when visiting [python.org/downloads](python.org/downloads). While it would not enable existing release files to be modified in-place, it would enable an attacker to modify the URLs that are provided on [python.org](http://python.org) for each release file, including verification material URLs. There is no evidence this vulnerability was exploited after auditing logs and database backups. This scenario is even more unlikely to have happened unnoticed due to the many redistributions requiring Python Sigstore and PGP materials be verified prior to builds.
16+
If exploited, this would have allowed an attacker to modify Python release and file metadata that affects what URLs users are offered when visiting [python.org/downloads](https://python.org/downloads). While it would not enable existing release files to be modified in-place, it would enable an attacker to modify the URLs that are provided on [python.org](https://python.org) for each release file, including verification material URLs. There is no evidence this vulnerability was exploited after auditing logs and database backups. This scenario is even more unlikely to have happened unnoticed due to the many redistributions requiring Python Sigstore and PGP materials be verified prior to builds.
1717

1818
## Details
1919

0 commit comments

Comments
 (0)