Python-dotenv v1.2.2 Patches Critical File Overwrite Vulnerability (CVE-2026-28684)

A critical security flaw in the widely-used python-dotenv library exposes systems to arbitrary file overwrite attacks. The vulnerability, tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), stems from the library's `set_key()` and `unset_key()` functions following symbolic links when rewriting `.env` files. This design flaw allows a local attacker to manipulate the file system, potentially overwriting critical configuration or system files via a cross-device rename fallback.

The issue is present in python-dotenv version 1.2.1 and earlier. The library, a core tool for managing environment variables in Python applications, is embedded in countless development and production workflows. The flaw is triggered during the routine process of setting or unsetting keys in a `.env` file, a common operation for managing secrets and configuration. The security advisory indicates the attack vector is local, requiring an attacker to have some level of access to the target system to plant a malicious symlink.

The maintainers have released version 1.2.2 to patch this vulnerability. The update is classified as a security fix, prompting immediate scrutiny for any project relying on this dependency. The presence of a CVE and a GitHub Security Advisory underscores the severity and formal recognition of the risk. Development and security teams are now under pressure to audit their dependency trees and apply the patch to mitigate the potential for local privilege escalation or system compromise through manipulated environment files.