Python-dotenv Security Flaw: CVE-2026-28684 Allows Arbitrary File Overwrite via Symbolic Links

A critical security vulnerability in the widely-used python-dotenv library exposes systems to arbitrary file overwrite attacks. The flaw, tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), resides in the `set_key()` and `unset_key()` functions. These functions follow symbolic links when rewriting `.env` files, creating a dangerous path for a local attacker to manipulate and overwrite files they should not have access to. This is not a theoretical risk; it's a direct vector for privilege escalation and data corruption within any application that uses this library to manage environment variables.

The vulnerability specifically exploits a cross-device rename fallback mechanism. When python-dotenv processes a `.env` file that is a symbolic link, it fails to check the target's ownership or permissions before performing write operations. This allows an attacker who can create or influence a symlink to redirect the library's file operations to a critical system file or another user's sensitive data. The issue affects versions prior to 1.2.2, prompting an urgent security update to version 1.2.2, as seen in automated dependency PRs from tools like RenovateBot.

The implications are severe for any Python application, especially in multi-user environments, containers, or shared hosting scenarios where `.env` files are common. Developers and security teams must immediately audit their dependencies and upgrade to python-dotenv v1.2.2. Failure to patch leaves application configurations and adjacent files vulnerable to silent manipulation, which could lead to further system compromise, data loss, or service disruption. This flaw underscores the persistent security risks hidden in foundational utility libraries that handle file I/O.