Description
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
Published: 2026-04-20
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: Arbitrary file overwrite via symbolic link following during .env rewrite
Action: Update to v1.2.2
AI Analysis

Impact

Prior to version 1.2.2, python-dotenv’s set_key and unset_key functions follow symbolic links when rewriting .env files, enabling a local attacker to overwrite arbitrary files on the same device through a crafted symlink when a cross‑device rename fallback is triggered. This file‑write flaw can lead to modification of critical configuration files or other sensitive data, potentially resulting in privilege escalation or remote code execution if exploited against executable or configuration files.

Affected Systems

The vulnerability affects all installations of the theskumar python-dotenv library released before version 1.2.2. Any deployment that has not applied the upstream patch (as referenced by the commit and release notes) remains susceptible.

Risk and Exploitability

With a CVSS score of 6.6 the vulnerability is considered moderate. The exploit requires local write access to the .env file and the ability to trigger a rewrite operation; EPSS data is not available, and the issue is not listed in the CISA KEV catalog. Because the attack relies on a local file‑write weakness (CWE‑59) and symbolic‑link traversal (CWE‑61), the risk is mitigated by restricting write permissions on .env files and by applying the official fix.

Generated by OpenCVE AI on April 20, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade python-dotenv to version 1.2.2 or later to eliminate symlink following during .env file rewrite.
  • If updating the library is not immediately possible, apply the patch manually by replacing the set_key and unset_key implementations with the corrected code from the referenced commit.
  • Restrict write permissions on .env files so that only trusted users can modify them, preventing local attackers from creating malicious symlinks.

Generated by OpenCVE AI on April 20, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
Title python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
Weaknesses CWE-59
CWE-61
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T17:43:09.477Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28684

cve-icon Vulnrichment

Updated: 2026-04-20T17:42:50.526Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T17:16:33.087

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-28684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses