Security Alert: python-dotenv v1.2.2 Patches Critical Symlink Vulnerability (CVE-2026-28684)

A critical security flaw in the widely-used python-dotenv library has been patched, exposing countless Python applications to potential local file system attacks. The vulnerability, tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), resides in the `set_key()` and `unset_key()` functions. These functions, used to modify `.env` files containing sensitive configuration data like API keys and database passwords, improperly follow symbolic links. This design flaw allows a local attacker to craft a malicious symlink, tricking the library into overwriting arbitrary files on the system via a cross-device rename fallback.

The core of the issue is a local privilege escalation vector. An attacker with local access to a system running a vulnerable version of python-dotenv (prior to v1.2.2) could potentially overwrite critical system files or other sensitive application data. The risk is particularly acute in multi-user environments, shared hosting scenarios, or any application where user-controlled input could influence the `.env` file path. The update to version 1.2.2 directly addresses this symlink-following behavior, closing the path for arbitrary file writes.

This patch is a mandatory security update for all developers and organizations. The python-dotenv library is a foundational dependency for managing environment variables in Python projects across web development, data science, and DevOps tooling. Failure to update leaves applications vulnerable to data corruption, denial-of-service, or further compromise if an attacker can overwrite key files. The fix is now available via standard package managers, and dependency automation tools like Renovate are already flagging the update as a high-priority, high-confidence security patch.