CVE-2026-28684

NameCVE-2026-28684
Descriptionpython-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134491

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-dotenv (PTS)bullseye0.15.0-1vulnerable
bookworm0.21.0-1vulnerable
trixie1.0.1-1vulnerable
forky, sid1.2.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-dotenvsource(unstable)(unfixed)1134491

Notes

https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94
Fixed by: https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311 (v1.2.2)
Search for package or bug name: Reporting problems