Nixpkgs security tracker
Published
Permalink
CVE-2026-28684
6.6 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
References
-
https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94 exploitx_refsource_CONFIRM
Ignored references (1)
-
https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2 x_refsource_MISC
Affected products
python-dotenv
- ==< 1.2.2
Matching in nixpkgs
pkgs.python312Packages.python-dotenv
Add .env support to your django/flask apps in development and deployments
pkgs.python313Packages.python-dotenv
Add .env support to your django/flask apps in development and deployments
pkgs.python314Packages.python-dotenv
Add .env support to your django/flask apps in development and deployments
Package maintainers
-
@erikarvstedt Erik Arvstedt <erik.arvstedt@gmail.com>