CVE-2026-4660 - Vulnerability Details

- Go-getter may allow to arbitrary filesystem reads through git operations

Description

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Published: 2026-04-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in HashiCorp’s go‑getter library allows an attacker to read any file on the host operating system during certain Git operations. By supplying a maliciously crafted Git URL, a remote code execution vector is created that falls under CWE‑200, enabling confidential data disclosure such as credentials, configuration files, or private keys.

Affected Systems

The vulnerability exists in all releases of HashiCorp's go‑getter up to and including v1.8.5. The library is commonly used across HashiCorp tooling, while the separate go‑getter/v2 branch is unaffected. The issue is resolved in go‑getter v1.8.6 and later.

Risk and Exploitability

With a CVSS score of 7.5 the flaw is classified as high severity, indicating serious risk if exploited. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, so the exact exploit likelihood is unknown. However, the attack path—injecting a malicious Git URL during normal repository operations—is easily achievable in any environment that uses go‑getter for remote fetching, making the risk considerable for exposed pieces of the code base or configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HashiCorp

Tooling

unaffected

Version	Status	Constraints
`0`	affected	< 1.8.6

No data.

Vendor Product Confidence Versions

Hashicorp

Tooling

100%

Version	Status	Scheme	Platform
`[0,1.8.6)`	affected	semver	['64_bit', '32_bit', 'x86', 'arm', 'macos', 'windows', 'linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the go‑getter library to version 1.8.6 or later, as this release contains the patch that eliminates the arbitrary file read.
Verify that any dependencies or wrappers around go‑getter in your tooling are also updated to rely on the fixed version.
If an immediate upgrade is not feasible, restrict the set of allowed Git URLs to a trusted whitelist and validate all incoming URLs against it before invoking go‑getter.
Continue to monitor HashiCorp security advisories and community forums for any additional workarounds or future patches.

Generated by OpenCVE AI on April 9, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-92mm-2pjq-r785	HashiCorp's go-getter library may allow arbitrary file reads

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311
https://nvd.nist.gov/vuln/detail/CVE-2026-4660
https://www.cve.org/CVERecord?id=CVE-2026-4660

History

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-22
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4660 https://www.cve.org/CVERecord?id=CVE-2026-4660
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hashicorp Hashicorp tooling
Vendors & Products		Hashicorp Hashicorp tooling

Thu, 09 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Title		Go-getter may allow to arbitrary filesystem reads through git operations
Weaknesses		CWE-200
References		https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Hashicorp Tooling

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2026-04-09T13:47:46.953Z

Updated: 2026-04-09T14:44:55.926Z

Reserved: 2026-03-23T16:07:20.700Z

Link: CVE-2026-4660

Vulnrichment

Updated: 2026-04-09T14:44:52.929Z

NVD

Status : Received

Published: 2026-04-09T14:16:32.993

Modified: 2026-04-09T14:16:32.993

Link: CVE-2026-4660

Redhat

Severity : Important

Publid Date: 2026-04-09T13:47:46Z

Links: CVE-2026-4660 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-10T09:32:50Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object