CVE-2026-28684: python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
set_key() and unset_key() in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered.
References
- github.com/advisories/GHSA-mf9w-mj56-hr94
- github.com/theskumar/python-dotenv
- github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311
- github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311.patch
- github.com/theskumar/python-dotenv/releases/tag/v1.2.2
- github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94
- nvd.nist.gov/vuln/detail/CVE-2026-28684
Code Behaviors & Features
Detect and mitigate CVE-2026-28684 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →