CVE-2026-28684: CWE-59: Improper Link Resolution Before File Access ('Link Following') in theskumar python-dotenv
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
AI Analysis
Technical Summary
The python-dotenv library, used to read and set environment variables from .env files, contained a vulnerability (CVE-2026-28684) in versions before 1.2.2. The set_key() and unset_key() functions improperly follow symbolic links when rewriting .env files, enabling a local attacker to overwrite arbitrary files via a crafted symlink. This occurs specifically when a cross-device rename fallback is triggered. The vulnerability is categorized under CWE-59 (Improper Link Resolution Before File Access) and CWE-61. The issue was addressed in version 1.2.2.
Potential Impact
The vulnerability allows a local attacker with limited privileges to overwrite arbitrary files on the filesystem by exploiting symbolic link following during .env file updates. This can lead to integrity and availability impacts, such as modifying critical files or disrupting application behavior. There is no direct confidentiality impact reported. The CVSS 3.1 score is 6.6 (medium severity), reflecting the need for user interaction and local access.
Mitigation Recommendations
Users should upgrade python-dotenv to version 1.2.2 or later, where this vulnerability is fixed. If upgrading is not immediately possible, users can manually apply the patch to prevent symbolic link following during .env file rewriting. No vendor advisory was provided, so patch status is inferred from the version information in the description.
CVE-2026-28684: CWE-59: Improper Link Resolution Before File Access ('Link Following') in theskumar python-dotenv
Description
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The python-dotenv library, used to read and set environment variables from .env files, contained a vulnerability (CVE-2026-28684) in versions before 1.2.2. The set_key() and unset_key() functions improperly follow symbolic links when rewriting .env files, enabling a local attacker to overwrite arbitrary files via a crafted symlink. This occurs specifically when a cross-device rename fallback is triggered. The vulnerability is categorized under CWE-59 (Improper Link Resolution Before File Access) and CWE-61. The issue was addressed in version 1.2.2.
Potential Impact
The vulnerability allows a local attacker with limited privileges to overwrite arbitrary files on the filesystem by exploiting symbolic link following during .env file updates. This can lead to integrity and availability impacts, such as modifying critical files or disrupting application behavior. There is no direct confidentiality impact reported. The CVSS 3.1 score is 6.6 (medium severity), reflecting the need for user interaction and local access.
Mitigation Recommendations
Users should upgrade python-dotenv to version 1.2.2 or later, where this vulnerability is fixed. If upgrading is not immediately possible, users can manually apply the patch to prevent symbolic link following during .env file rewriting. No vendor advisory was provided, so patch status is inferred from the version information in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-02T21:43:19.927Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6585319fe3cd2cd13fc2e
Added to database: 4/20/2026, 4:46:11 PM
Last enriched: 4/20/2026, 5:02:25 PM
Last updated: 4/21/2026, 7:05:33 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.