## CVE-2026-28684: python-dotenv Symlink Flaw Enables Arbitrary Local File Overwrite
A critical vulnerability in the python-dotenv library exposes systems to local symlink-based file overwrite attacks. CVE-2026-28684 affects version 1.1.0 and earlier, allowing a local attacker to manipulate the `set_key()` and `unset_key()` functions into redirecting writes to arbitrary files on the system.

The flaw resides in the `rewrite()` context manager within `dotenv/main.py`. When these functions modify `.env` files, they write a temporary copy to the system's temp directory—typically `/tmp`—before moving it to the target location using `shutil.move()`. The vulnerability triggers specifically when the `.env` path is a symbolic link and the temp directory resides on a different filesystem. Under these conditions, `shutil.move()` attempts an `os.rename()` first, which fails with an `OSError` because atomic renames cannot cross device boundaries. The fallback mechanism then follows the symlink, allowing the attacker to specify a crafted target path that gets written to instead of the intended `.env` file.

The attack scenario poses particular risk in multi-user environments where `/tmp` is shared or where applications process untrusted `.env` symlinks. Any script or service using python-dotenv to write environment variables becomes a potential vector for privilege escalation or configuration corruption. Developers are advised to upgrade python-dotenv immediately and audit existing deployments for symbolic link usage in configuration paths. The upgrade path from version 1.1.0 closes the symlink-following behavior during cross-device rename operations, though environment-specific configurations may require additional hardening.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cve, python-dotenv, symlink, arbitrary-file-overwrite, supply-chain
- **Credibility**: unverified
- **Published**: 2026-04-27 00:54:07
- **ID**: 77262
- **URL**: https://whisperx.ai/en/intel/77262