CVE-2026-28684

low-risk
Published 2026-04-20

python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.6/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Python-Dotenv

Affected Vendors

Saurabh-Kumar

References (4)

Patch https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca...
Release Notes https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2
Exploit https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr...
Exploit https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr...
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal