Python-dotenv v1.2.2 Patches Critical Symlink Vulnerability (CVE-2026-28684) Allowing Arbitrary File Overwrite

A critical security flaw in the widely-used python-dotenv library has been patched, exposing projects to arbitrary file overwrite attacks. The vulnerability, tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), resides in the `set_key()` and `unset_key()` functions. These functions, responsible for modifying `.env` files containing sensitive configuration like API keys and database passwords, were found to follow symbolic links during file rewrite operations. This flaw creates a path for a local attacker to manipulate the process and overwrite any file the application has permission to access.

The core of the exploit involves a crafted cross-device rename fallback. When python-dotenv writes to a `.env` file that is a symbolic link, it can be tricked into renaming a temporary file to overwrite a critical system file pointed to by the link, rather than the intended `.env` file. This is not a theoretical risk; it is a direct vector for privilege escalation, data destruction, or backdoor implantation in any application using an unpatched version of the library to manage its environment variables.

The maintainers have released python-dotenv version 1.2.2 to address this vulnerability. The update changes the behavior of `set_key()` and `unset_key()` to no longer follow symbolic links, thereby closing the attack vector. This patch is now being propagated via automated dependency managers like RenovateBot, as seen in the source pull request. The urgency is high for development and security teams to verify their dependency chains and ensure all instances are updated from v1.2.1 or earlier, as the library's central role in handling secrets makes it a high-value target for exploitation.