top of page
perceptive_background_267k.jpg

The remediated findings include organization permission bugs, stale project access after transfers, OIDC replay edge cases, audit logging gaps, and an IDOR in A…

Published:

1 mei 2026 om 21:05:27

Alert date:

2 mei 2026 om 04:00:53

Source:

socket.dev

Click to open the original link from this advisory

Supply Chain & Dependencies, Identity & Access

PyPI fixed two high-severity access control vulnerabilities found during a security audit by Trail of Bits. The first issue allowed organization members to invite owners with elevated privileges, while the second allowed stale team permissions to persist after project transfers, potentially granting unauthorized upload access. Additional issues included OIDC trusted publishing replay vulnerabilities, inconsistent metadata validation between different APIs, and various authorization enforcement gaps. The audit identified 14 total findings with most being remediated except for wheel metadata validation gaps.

Technical details

PyPI had two high-severity access control flaws: 1) Organization members could invite owners due to the manage_organization_roles view requiring only OrganizationsRead permission for both GET and POST requests, allowing any member to send invitations with Owner role including administrative control. 2) Project transfers left stale upload access because delete_organization_project method only deleted OrganizationProject junction records but not associated TeamProjectRole records, allowing retained upload permissions after project transfers. Additional issues included OIDC JWT replay vulnerabilities due to Redis key expiration misalignment with JWT leeway window (25-second window for replay attacks), time-of-check to time-of-use race conditions in anti-replay flow, and wheel metadata validation gaps where embedded metadata in wheels wasn't validated against form-derived metadata creating inconsistent dependency information between APIs.

Mitigation steps:

PyPI has already implemented fixes including: splitting view configuration so GET requests require OrganizationsRead while POST requests require OrganizationsManage, deleting TeamProjectRole records before deleting OrganizationProject junction records, adding defensive ACL filters to verify team organization matches project's current organization, aligning Redis key expiration with full JWT leeway window, and centralizing time-window constants. Security tools and SBOM generators should be aware that they may see different dependency information than what pip installs due to metadata validation gaps that remain unfixed.

Affected products:

PyPI (Python Package Index)
Warehouse (open source Python application powering PyPI)
pip 22.3 and later

Related links:

https://blog.pypi.org/posts/2026-04-16-pypi-completes-second-audit/
https://www.trailofbits.com/
https://www.sovereign.tech/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page