CVE-2026-28684 Overview
CVE-2026-28684 is a symlink attack vulnerability affecting python-dotenv, a popular Python library that reads key-value pairs from .env files and sets them as environment variables. Prior to version 1.2.2, the set_key() and unset_key() functions follow symbolic links when rewriting .env files, enabling a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered.
Critical Impact
Local attackers can exploit this vulnerability to overwrite arbitrary files on the system, potentially leading to integrity compromise or denial of service through destruction of critical files.
Affected Products
- python-dotenv versions prior to 1.2.2
Discovery Timeline
- 2026-04-20 - CVE CVE-2026-28684 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-28684
Vulnerability Analysis
This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The flaw exists in how python-dotenv handles file operations when modifying .env files through its set_key() and unset_key() functions.
When these functions modify a .env file, they may trigger a cross-device rename fallback mechanism. During this fallback process, the library fails to properly resolve or validate symbolic links before performing write operations. This insecure behavior allows an attacker who can place a symlink in the expected location of a .env file to redirect write operations to arbitrary files on the filesystem.
The attack requires local access and user interaction, as the victim must trigger one of the vulnerable functions while the malicious symlink is in place. Successful exploitation can result in complete integrity and availability compromise of the targeted files.
Root Cause
The root cause of this vulnerability lies in the improper handling of symbolic links during file rewriting operations. When python-dotenv performs a cross-device rename fallback, it follows symlinks without verifying whether the target path is a legitimate .env file or a symbolic link pointing elsewhere. This failure to resolve and validate the link target before writing allows the file content to be written to unintended locations.
Attack Vector
The attack vector is local, requiring the attacker to have some level of access to the system where python-dotenv is being used. The exploitation scenario involves:
- The attacker creates a malicious symbolic link at the location where a .env file is expected
- The symlink points to a sensitive file the attacker wishes to overwrite (e.g., configuration files, scripts, or other critical system files)
- When a privileged user or application calls set_key() or unset_key() on what it believes is the .env file, the operation follows the symlink
- The targeted file gets overwritten with the .env content, potentially destroying critical data or enabling further exploitation
This attack requires user interaction (the victim must trigger the vulnerable function) and low privileges to set up the initial symlink.
Detection Methods for CVE-2026-28684
Indicators of Compromise
- Unexpected symlinks appearing in directories containing .env files
- Modification of system or application files that should not be written to by python-dotenv operations
- Unusual file permission changes or ownership modifications on sensitive configuration files
- Log entries indicating .env file operations targeting unexpected paths
Detection Strategies
- Monitor file system operations for symlink creation in directories where .env files are commonly stored
- Implement file integrity monitoring on critical system and application configuration files
- Use application-level logging to track set_key() and unset_key() function calls and their target paths
- Deploy endpoint detection rules that alert on processes following symlinks during file write operations
Monitoring Recommendations
- Enable audit logging for symlink creation events in application directories
- Configure SentinelOne endpoint protection to monitor for suspicious file linking patterns
- Implement real-time alerting for unexpected writes to sensitive system files
- Review application logs for python-dotenv operations that may indicate exploitation attempts
How to Mitigate CVE-2026-28684
Immediate Actions Required
- Upgrade python-dotenv to version 1.2.2 or later immediately
- Audit existing .env file locations for unexpected symbolic links
- Review file permissions on directories containing .env files to restrict symlink creation
- Implement temporary access controls to limit who can create files in sensitive directories
Patch Information
The vulnerability has been addressed in python-dotenv version 1.2.2. Users should upgrade to this version or later to receive the fix. The patch is available through the GitHub Commit and the GitHub Release v1.2.2. Additional details can be found in the GitHub Security Advisory GHSA-mf9w-mj56-hr94.
Workarounds
- Apply the patch manually from the security advisory if immediate upgrade is not possible
- Restrict write permissions on directories containing .env files to trusted users only
- Implement file system monitoring to detect and alert on symlink creation in sensitive directories
- Consider using containerization or sandboxing to limit the impact of potential exploitation
# Upgrade python-dotenv to patched version
pip install --upgrade python-dotenv>=1.2.2
# Verify installed version
pip show python-dotenv | grep Version
# Check for symbolic links in .env file locations
find /path/to/application -name ".env" -type l -ls
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
