Fabre

#1134491 python-dotenv: CVE-2026-28684 #1134491

Package:: src:python-dotenv

Source:: src:python-dotenv

Submitter:: Salvatore Bonaccorso

Date:: 2026-04-20 20:11:02 UTC

Severity:: normal

Tags:

#1134491#5

Date:: 2026-04-20 20:08:34 UTC

From:

To:

Hi,

The following vulnerability was published for python-dotenv.

CVE-2026-28684[0]:
| python-dotenv reads key-value pairs from a .env file and can set
| them as environment variables. Prior to version 1.2.2, `set_key()`
| and `unset_key()` in python-dotenv follow symbolic links when
| rewriting `.env` files, allowing a local attacker to overwrite
| arbitrary files via a crafted symlink when a cross-device rename
| fallback is triggered. Users should upgrade to v.1.2.2 or, as a
| workaround, apply the patch manually.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-28684
https://www.cve.org/CVERecord?id=CVE-2026-28684
[1] https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94
[2] https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1134491 python-dotenv: CVE-2026-28684 #1134491

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)