Python-dotenv Security Flaw: CVE-2026-28684 Allows Arbitrary File Overwrite via Symlink Attack

A critical vulnerability in the widely-used `python-dotenv` library exposes systems to arbitrary file overwrites. Tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), the flaw resides in the `set_key()` and `unset_key()` functions. These functions, responsible for modifying `.env` files that store sensitive configuration like API keys and database passwords, improperly follow symbolic links. This creates a dangerous path traversal condition.

The core of the exploit involves a local attacker crafting a malicious symlink. When the library's file rewrite logic triggers a cross-device rename fallback—a specific but plausible scenario during file operations—the symlink is followed. This allows the attacker to redirect the write operation to any file on the system the application has permission to access, not just the intended `.env` file. The vulnerability is present in versions prior to the patched release, v1.2.2.

This is not a theoretical risk. The `python-dotenv` library is a foundational dependency for countless Python applications, from web frameworks to data science tools, making its security posture critical. The flaw enables local privilege escalation and data destruction by overwriting critical system or application files. The update to v1.2.2 is marked as a security fix, signaling immediate action is required. Developers and security teams must audit their dependency trees and apply this patch to mitigate the risk of credential exposure and system compromise.