A critical authentication bypass vulnerability was identified in the python.org release management API, allowing unauthorized admin access using an admin username and arbitrary API key. This flaw, reported by researcher Splitline Ng on February 23, 2026, impacts millions of developers who rely on python.org for software downloads but does not alter existing release files. The vulnerability dated back to 2014 and was fixed swiftly within 48 hours of reporting.
Python's security team enhanced URL restrictions and extended log retention to prevent potential exploitation. Although there were no signs of prior abuse, users are advised to verify downloaded materials.