Python-dotenv v1.2.1 Security Flaw: CVE-2026-28684 Allows Local Attackers to Overwrite Arbitrary Files

A critical security vulnerability in the widely-used python-dotenv library exposes systems to local file overwrite attacks. The flaw, tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), resides in the `set_key()` and `unset_key()` functions. These functions follow symbolic links when rewriting `.env` files, creating a path for a local attacker to manipulate the process and overwrite arbitrary files on the system. This is a classic symlink attack vector, exploiting the library's failure to properly validate file paths before performing write operations.

The vulnerability specifically affects python-dotenv version 1.2.1. The issue stems from a cross-device rename fallback mechanism that does not adequately check for symbolic links. When the library attempts to update a `.env` file that is actually a symlink pointing to a critical system file, the subsequent write operation can corrupt or overwrite that target file. This type of flaw is particularly dangerous in multi-user environments or shared hosting scenarios where an attacker may have limited local access but can influence file paths.

The maintainers have released version 1.2.2 to patch this security hole. The update is classified as a security dependency change, prompting automated tools like Renovate to flag it for immediate action. Any project relying on python-dotenv for environment variable management must upgrade to the patched version to mitigate the risk of local privilege escalation or system file corruption. The presence of this CVE in a core utility underscores the persistent security challenges in open-source dependency management and the critical need for prompt updates when vulnerabilities are disclosed.