CVE-2026-28684
Received Received - Intake
Symlink File Overwrite Vulnerability in python-dotenv Before

Publication date: 2026-04-20

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28684
EUVD
EUVD-2026-23901
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
saurabh-kumar python-dotenv to 1.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing an attacker to overwrite arbitrary files on your system if they have write access to the directory containing the .env file.

  • Integrity violation: attacker-controlled content can overwrite sensitive files.
  • Denial of Service: critical configuration or system files can be corrupted or destroyed.
  • Potential privilege escalation: if a privileged process calls set_key(), attackers can overwrite files beyond their normal access rights.
Executive Summary

CVE-2026-28684 is a moderate severity vulnerability in the python-dotenv package versions prior to 1.2.2. The vulnerability arises because the set_key() and unset_key() functions follow symbolic links (symlinks) when rewriting .env files. When the .env file is a symlink and the temporary file used for rewriting is on a different filesystem, the fallback method to replace the file follows the symlink and overwrites the symlink's target file instead of the symlink itself.

An attacker with write access to the directory containing the .env file can create a malicious symlink pointing to any writable file accessible by the application. When set_key() or unset_key() is called, the attacker-controlled content is written to the target file, allowing arbitrary file overwrite without race conditions.

This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access) and CWE-61 (UNIX Symbolic Link Following). It was fixed by changing the functions to not follow symlinks by default, creating temporary files in the same directory as the target file, and using safer file replacement methods.

Detection Guidance

This vulnerability involves unsafe symbolic link handling in the python-dotenv package's set_key() and unset_key() functions when rewriting .env files. Detection involves checking if your environment uses python-dotenv versions prior to 1.2.2 and if .env files are symbolic links that could be exploited.

There are no specific detection commands provided in the available resources. However, you can manually inspect your system by:

  • Checking the python-dotenv version installed (e.g., using `pip show python-dotenv` or `pip list | grep python-dotenv`).
  • Identifying if any .env files used by your applications are symbolic links by running `ls -l path/to/.env` and looking for symlink indicators.
  • Reviewing if your system's temporary directory (commonly /tmp) is on a different filesystem than the .env file location, which can trigger the vulnerability.

No automated detection commands or scripts are provided in the resources.

Mitigation Strategies

The primary and recommended mitigation is to upgrade python-dotenv to version 1.2.2 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, a manual patch can be applied to modify the rewrite() function to avoid following symlinks by default and to create temporary files in the same directory as the target .env file to avoid cross-device rename fallback.

  • Upgrade python-dotenv to version 1.2.2 or later.
  • Avoid using set_key() and unset_key() on .env files that are symbolic links.
  • Apply the patch that changes set_key() and unset_key() to not follow symlinks by default and to create temporary files in the target directory.
  • Use the new follow_symlinks parameter explicitly if symlink following is required, but be aware of the risks.
Compliance Impact

CVE-2026-28684 allows a local attacker to overwrite arbitrary files via crafted symbolic links when using vulnerable versions of python-dotenv. This can lead to integrity violations by overwriting sensitive files with attacker-controlled content, denial of service through corruption of critical files, and potential privilege escalation if privileged processes invoke the vulnerable functions.

Such impacts on data integrity and system availability could negatively affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. Overwriting configuration or sensitive files could lead to unauthorized data modification or exposure, violating these regulations' requirements for data security and integrity.

Therefore, organizations using vulnerable versions of python-dotenv may face increased risk of non-compliance with these standards unless they apply the recommended fixes or upgrades.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart