CVE-2026-28684
Symlink File Overwrite Vulnerability in python-dotenv Before
Publication date: 2026-04-20
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saurabh-kumar | python-dotenv | to 1.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to overwrite arbitrary files on your system if they have write access to the directory containing the .env file.
- Integrity violation: attacker-controlled content can overwrite sensitive files.
- Denial of Service: critical configuration or system files can be corrupted or destroyed.
- Potential privilege escalation: if a privileged process calls set_key(), attackers can overwrite files beyond their normal access rights.
Can you explain this vulnerability to me?
CVE-2026-28684 is a moderate severity vulnerability in the python-dotenv package versions prior to 1.2.2. The vulnerability arises because the set_key() and unset_key() functions follow symbolic links (symlinks) when rewriting .env files. When the .env file is a symlink and the temporary file used for rewriting is on a different filesystem, the fallback method to replace the file follows the symlink and overwrites the symlink's target file instead of the symlink itself.
An attacker with write access to the directory containing the .env file can create a malicious symlink pointing to any writable file accessible by the application. When set_key() or unset_key() is called, the attacker-controlled content is written to the target file, allowing arbitrary file overwrite without race conditions.
This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access) and CWE-61 (UNIX Symbolic Link Following). It was fixed by changing the functions to not follow symlinks by default, creating temporary files in the same directory as the target file, and using safer file replacement methods.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsafe symbolic link handling in the python-dotenv package's set_key() and unset_key() functions when rewriting .env files. Detection involves checking if your environment uses python-dotenv versions prior to 1.2.2 and if .env files are symbolic links that could be exploited.
There are no specific detection commands provided in the available resources. However, you can manually inspect your system by:
- Checking the python-dotenv version installed (e.g., using `pip show python-dotenv` or `pip list | grep python-dotenv`).
- Identifying if any .env files used by your applications are symbolic links by running `ls -l path/to/.env` and looking for symlink indicators.
- Reviewing if your system's temporary directory (commonly /tmp) is on a different filesystem than the .env file location, which can trigger the vulnerability.
No automated detection commands or scripts are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade python-dotenv to version 1.2.2 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, a manual patch can be applied to modify the rewrite() function to avoid following symlinks by default and to create temporary files in the same directory as the target .env file to avoid cross-device rename fallback.
- Upgrade python-dotenv to version 1.2.2 or later.
- Avoid using set_key() and unset_key() on .env files that are symbolic links.
- Apply the patch that changes set_key() and unset_key() to not follow symlinks by default and to create temporary files in the target directory.
- Use the new follow_symlinks parameter explicitly if symlink following is required, but be aware of the risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-28684 allows a local attacker to overwrite arbitrary files via crafted symbolic links when using vulnerable versions of python-dotenv. This can lead to integrity violations by overwriting sensitive files with attacker-controlled content, denial of service through corruption of critical files, and potential privilege escalation if privileged processes invoke the vulnerable functions.
Such impacts on data integrity and system availability could negatively affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. Overwriting configuration or sensitive files could lead to unauthorized data modification or exposure, violating these regulations' requirements for data security and integrity.
Therefore, organizations using vulnerable versions of python-dotenv may face increased risk of non-compliance with these standards unless they apply the recommended fixes or upgrades.