{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28684", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-04-20T16:25:12.302Z", "dateUpdated": "2026-04-20T17:43:09.477Z"}, "containers": {"cna": {"title": "python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-61", "lang": "en", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94"}, {"name": "https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311", "tags": ["x_refsource_MISC"], "url": "https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311"}, {"name": "https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2"}], "affected": [{"vendor": "theskumar", "product": "python-dotenv", "versions": [{"version": "< 1.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:25:12.302Z"}, "descriptions": [{"lang": "en", "value": "python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually."}], "source": {"advisory": "GHSA-mf9w-mj56-hr94", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T17:43:03.518532Z", "id": "CVE-2026-28684", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T17:43:09.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28684", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T17:43:03.518532Z"}}}], "references": [{"url": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T17:42:50.526Z"}}], "cna": {"title": "python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback", "source": {"advisory": "GHSA-mf9w-mj56-hr94", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "theskumar", "product": "python-dotenv", "versions": [{"status": "affected", "version": "< 1.2.2"}]}], "references": [{"url": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94", "name": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311", "name": "https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2", "name": "https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-61", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:25:12.302Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28684", "state": "PUBLISHED", "dateUpdated": "2026-04-20T17:43:09.477Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T16:25:12.302Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually."}], "id": "CVE-2026-28684", "lastModified": "2026-04-20T18:16:26.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T17:16:33.087", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311"}, {"source": "security-advisories@github.com", "url": "https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-61"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T17:17:26.292754+00:00", "value": {"mitigation_remediation": ["Upgrade python-dotenv to version 1.2.2 or later to eliminate symlink following during .env file rewrite.", "If updating the library is not immediately possible, apply the patch manually by replacing the set_key and unset_key implementations with the corrected code from the referenced commit.", "Restrict write permissions on .env files so that only trusted users can modify them, preventing local attackers from creating malicious symlinks."], "summary": {"action": "Update to v1.2.2", "impact": "Arbitrary file overwrite via symbolic link following during .env rewrite"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the theskumar python-dotenv library released before version 1.2.2. Any deployment that has not applied the upstream patch (as referenced by the commit and release notes) remains susceptible.", "description_and_impact": "Prior to version 1.2.2, python-dotenv\u2019s set_key and unset_key functions follow symbolic links when rewriting .env files, enabling a local attacker to overwrite arbitrary files on the same device through a crafted symlink when a cross\u2011device rename fallback is triggered. This file\u2011write flaw can lead to modification of critical configuration files or other sensitive data, potentially resulting in privilege escalation or remote code execution if exploited against executable or configuration files.", "risk_and_exploitability": "With a CVSS score of 6.6 the vulnerability is considered moderate. The exploit requires local write access to the .env file and the ability to trigger a rewrite operation; EPSS data is not available, and the issue is not listed in the CISA KEV catalog. Because the attack relies on a local file\u2011write weakness (CWE\u201159) and symbolic\u2011link traversal (CWE\u201161), the risk is mitigated by restricting write permissions on .env files and by applying the official fix."}}}}, "created": "2026-04-20T17:30:12.647530+00:00", "updated": "2026-04-20T17:30:12.647541+00:00", "vendors": []}