CVE-2026-28684

Name of the Vulnerable Software and Affected Versions python-dotenv versions prior to 1.2.2

Description The set key() and unset key() functions in python-dotenv follow symbolic links when rewriting .env files. This occurs when the rewrite() context manager in dotenv/main.py writes to a temporary file in the system default directory and attempts to move it to the target location using shutil.move(). If the target is a symbolic link and the temporary directory is on a different filesystem, shutil.move() falls back to shutil.copy2(), which follows symbolic links by default. A local attacker with write access to the directory containing the .env file can create a crafted symlink to overwrite arbitrary files that the application process has permission to modify, potentially leading to integrity violations, denial of service, or privilege escalation.

Recommendations Upgrade to version 1.2.2.