CVE-2026-28684 — Link Following in Python-dotenv
Severity
6.6MEDIUMNVD
EPSS
0.0%
top 98.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 20
Latest updateApr 22
Description
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:HExploitability: 1.3 | Impact: 5.2
Affected Packages63 packages
🔴Vulnerability Details
2📋Vendor Advisories
1Red Hat
▶
💬Community
5Bugzilla▶
CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following [epel-all]↗2026-04-22
Bugzilla▶
CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following [fedora-all]↗2026-04-22
Bugzilla▶
CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following [fedora-42]↗2026-04-22
Bugzilla▶
CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following [fedora-43]↗2026-04-22
Bugzilla▶
CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following↗2026-04-20