Medium severity6.6NVD Advisory· Published Apr 20, 2026· Updated Apr 27, 2026
CVE-2026-28684
CVE-2026-28684
Description
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, set_key() and unset_key() in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-dotenvPyPI | < 1.2.2 | 1.2.2 |
Affected products
21- osv-coords20 versionspkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/ggshieldpkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/litellmpkg:apk/chainguard/localstackpkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.0pkg:apk/wolfi/ggshieldpkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.0pkg:pypi/python-dotenvpkg:rpm/opensuse/python-python-dotenv&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/python-python-dotenv&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-python-dotenv&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2025.12.4-r5+ 19 more
- (no CPE)range: < 2025.12.4-r5
- (no CPE)range: < 2026.2.1-r5
- (no CPE)range: < 2025.12.4-r4
- (no CPE)range: < 2026.2.1-r4
- (no CPE)range: < 1.51.0-r4
- (no CPE)range: < 0.51.0-r6
- (no CPE)range: < 0.51.0-r6
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 1.83.10.0-r0
- (no CPE)range: < 4.14.0-r9
- (no CPE)range: < 5.0.0-r24
- (no CPE)range: < 6.0.0-r11
- (no CPE)range: < 1.51.0-r4
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 5.0.0-r24
- (no CPE)range: < 6.0.0-r11
- (no CPE)range: < 1.2.2
- (no CPE)range: < 1.1.0-160000.3.1
- (no CPE)range: < 1.1.0-160000.3.1
- (no CPE)range: < 1.1.0-160000.3.1
Patches
Vulnerability mechanics
References
6- github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311nvdPatchWEB
- github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94nvdExploitPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-mf9w-mj56-hr94ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28684ghsaADVISORY
- github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311.patchghsaWEB
- github.com/theskumar/python-dotenv/releases/tag/v1.2.2nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.