Python-dotenv v1.2.2 Patches Critical Symlink Vulnerability (CVE-2026-28684)

A critical security flaw in the widely-used python-dotenv library has been patched, exposing applications to arbitrary file overwrite attacks. The vulnerability, tracked as CVE-2026-28684 and GHSA-mf9w-mj56-hr94, resides in the `set_key()` and `unset_key()` functions. These functions, responsible for modifying `.env` files that store sensitive configuration like API keys and database passwords, improperly follow symbolic links. This design flaw allows a local attacker to manipulate the file rewrite process, potentially overwriting critical system files.

The core of the issue is a cross-device rename fallback mechanism within the library. When this fallback is triggered, the functions fail to validate the target path, blindly following any symbolic link present. An attacker with local access could plant a crafted symlink pointing to a sensitive file. A subsequent, legitimate call to `set_key()` or `unset_key()` would then cause the library to overwrite the symlink's target, leading to data corruption, privilege escalation, or a denial-of-service condition. The vulnerability is present in versions prior to 1.2.2.

The patch, released in python-dotenv version 1.2.2, addresses the symlink-following behavior. This update is now being propagated as a security dependency update across countless Python projects, as seen in automated pull requests on platforms like GitHub. The widespread use of python-dotenv for managing application secrets means this vulnerability poses a significant supply chain risk, necessitating immediate updates for all dependent software to mitigate potential local privilege escalation and data integrity attacks.