CVE-2026-28684
Severity CVSS v4.0:
Pending analysis
Type:
CWE-59
Link Following
Publication date:
20/04/2026
Last modified:
27/04/2026
Description
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
Impact
Base Score 3.x
6.60
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:saurabh-kumar:python-dotenv:*:*:*:*:*:python:*:* | 1.2.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311
- https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2
- https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94
- https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94