[Bug]: Security issue CVE-2026-28684 on python-dotenv cannot be fixed due to pinned versions

[bhadrim]

Check for existing issues

• I have searched the existing issues and checked that my issue is not a duplicate.

What happened?

We got CVEs on python-dotenv but we are unable to fix this as litellm pins the python-dotenv to 1.0.1. Can you please either bump up the version or do not pin the versions in pyproject.toml instead use uv.lock or requirements.txt as mentioned in number of other issues in the board. Thank you.

Vulnerability scan summary
	Vulnerability found: GHSA-mf9w-mj56-hr94 - CLAIR-PYPI-PYTHON-DOTENV-2681296207
		URL: https://nvd.nist.gov/vuln/detail/CVE-2026-28684
		Package: python-dotenv
		Version: 1.0.1
		Introduced By: pydantic-settings:2.14.0 --> python-dotenv:1.0.1, litellm:1.83.7 --> python-dotenv:1.0.1
		Severity: medium
		Description: python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
		Remediation: 1.2.2
		Updated at: 2026-04-21T14:38:57Z
		Codes: [CVE-2026-28684]

Steps to Reproduce

This is a security issue. No steps required to reproduce.

Relevant log output

Vulnerability scan summary
	Vulnerability found: GHSA-mf9w-mj56-hr94 - CLAIR-PYPI-PYTHON-DOTENV-2681296207
		URL: https://nvd.nist.gov/vuln/detail/CVE-2026-28684
		Package: python-dotenv
		Version: 1.0.1
		Introduced By: pydantic-settings:2.14.0 --> python-dotenv:1.0.1, litellm:1.83.7 --> python-dotenv:1.0.1
		Severity: medium
		Description: python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
		Remediation: 1.2.2
		Updated at: 2026-04-21T14:38:57Z
		Codes: [CVE-2026-28684]

What part of LiteLLM is this about?

SDK (litellm Python package)

What LiteLLM version are you on ?

1.83.7

Twitter / LinkedIn details

No response