Python-dotenv v1 Security Update Patches Critical File Overwrite Vulnerability (CVE-2026-28684)

A critical security vulnerability in the widely-used `python-dotenv` library has been patched, forcing a mandatory update for countless Python projects. The flaw, tracked as CVE-2026-28684, resides in the library's `set_key()` and `unset_key()` functions. These functions, used to modify `.env` files that store sensitive configuration like API keys and database passwords, improperly follow symbolic links. This design flaw allows a local attacker to exploit a cross-device rename fallback mechanism, potentially overwriting arbitrary files on the system. The risk is particularly acute in multi-user environments or shared hosting scenarios where an attacker could manipulate symlinks to corrupt critical system files or escalate privileges.

The vulnerability affects versions prior to 1.2.2. The update, pushed via automated dependency management tools like RenovateBot, upgrades the package from the vulnerable version 0.19.0 to the patched version 1.2.2. The security advisory, GHSA-mf9w-mj56-hr94, is published on GitHub, and the CVE is listed in the National Vulnerability Database (NVD). The flaw's exploitation does not require remote access but hinges on an attacker having local filesystem access to create a malicious symlink that the `python-dotenv` library would then follow during its file-writing routine.

This patch triggers a widespread and urgent update cycle across the Python ecosystem. `python-dotenv` is a foundational dependency for application configuration, used in web frameworks like Django and Flask, data science workflows, and DevOps tooling. The silent, automated nature of the fix via bots like Renovate highlights the modern software supply chain's reliance on such tools for security hygiene. However, it also places immediate pressure on development and operations teams to verify that the update is applied across all production and development environments to close a direct path to potential data loss or system compromise.