CVE-2026-28684
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
CVSS Score
6.6
EPSS Score
0.0%
EPSS Percentile
0th
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
| CWE | CWE-59 CWE-61 |
| Vendor | theskumar |
| Product | python-dotenv |
| Published | Apr 20, 2026 |
| Last Updated | Apr 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for theskumar python-dotenv
Be the first to know when new medium vulnerabilities affecting theskumar python-dotenv are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected Versions
theskumar / python-dotenv
< 1.2.2