Python-dotenv v1.2.1 Security Flaw: Symlink Attack Allows Arbitrary File Overwrite (CVE-2026-28684)

A critical security vulnerability in the widely-used python-dotenv library exposes systems to arbitrary file overwrite attacks. The flaw, tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), resides in the `set_key()` and `unset_key()` functions. These functions follow symbolic links when rewriting `.env` files, creating a dangerous path for local attackers to manipulate or destroy critical system files through a cross-device rename fallback mechanism.

The vulnerability specifically affects python-dotenv version 1.2.1. The issue stems from the library's file handling logic, which does not properly validate or restrict operations on symlinked `.env` files. An attacker with local access can create a symbolic link from a `.env` file to a sensitive target file elsewhere on the system. When an application using the vulnerable library calls `set_key()` or `unset_key()`, the operation follows the symlink and writes to the target location, potentially leading to data corruption, privilege escalation, or a denial-of-service condition.

The maintainers have released python-dotenv version 1.2.2 to patch this security hole. The update is now being propagated through dependency management systems, as seen in automated pull requests from tools like Renovate. This flaw underscores the persistent risk in foundational developer tools that handle environment configuration—a single library used by millions of projects can become a vector for system compromise if file system interactions are not rigorously secured.