CVE-2026-4660 - Vulnerability Details

- Go-getter may allow to arbitrary filesystem reads through git operations

Description

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Published: 2026-04-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in HashiCorp’s go‑getter library version 1.8.5 and earlier. A specially crafted git URL can cause the library to resolve paths that lead outside the intended repository, allowing the caller to read arbitrary files on the host file system. Attackers could thus obtain sensitive configuration files or secrets, resulting in accidental disclosure of confidential data. The weakness is reflected by CWE‑200 (Information Exposure) and CWE‑22 (Path Traversal).

Affected Systems

Affected systems include any HashiCorp tooling that uses go‑getter up to and including v1.8.5, such as HashiCorp infrastructure automation products that import modules or plugins via git. The vulnerability does not affect the go‑getter/v2 package, nor versions 1.8.6 and later, which are already patched.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑to‑high severity, while the lack of an EPSS score suggests insufficient public exploitation data. The issue is not yet listed in CISA’s KEV catalog. The exploit would require the attacker to supply a malicious git URL; thus, attackers could target assets during provisioning or module fetch operations. The path traversal is not provided by a web interface by default, implying that the attack vector is likely restricted to automated or scripted Git operations, potentially through supply‑chain manipulation or social engineering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HashiCorp

Tooling

unaffected

Version	Status	Constraints
`0`	affected	< 1.8.6

No data.

Vendor Product Confidence Versions

Hashicorp

Tooling

100%

Version	Status	Scheme	Platform
`[0,1.8.6)`	affected	semver	['64_bit', '32_bit', 'x86', 'arm', 'macos', 'windows', 'linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade HashiCorp go‑getter to version 1.8.6 or later
Verify that all tooling components use the upgraded library version
Limit git operations to trusted sources or disable external git access when feasible
Monitor for unexpected file‑system access or anomalous git activity
Apply regular dependency updates as per best practice

Generated by OpenCVE AI on April 10, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-92mm-2pjq-r785	HashiCorp's go-getter library may allow arbitrary file reads

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311
https://nvd.nist.gov/vuln/detail/CVE-2026-4660
https://www.cve.org/CVERecord?id=CVE-2026-4660

History

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-22
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4660 https://www.cve.org/CVERecord?id=CVE-2026-4660
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hashicorp Hashicorp tooling
Vendors & Products		Hashicorp Hashicorp tooling

Thu, 09 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Title		Go-getter may allow to arbitrary filesystem reads through git operations
Weaknesses		CWE-200
References		https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Hashicorp Tooling

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2026-04-09T13:47:46.953Z

Updated: 2026-04-17T17:57:55.534Z

Reserved: 2026-03-23T16:07:20.700Z

Link: CVE-2026-4660

Vulnrichment

Updated: 2026-04-09T14:44:52.929Z

NVD

Status : Awaiting Analysis

Published: 2026-04-09T14:16:32.993

Modified: 2026-04-13T15:02:47.353

Link: CVE-2026-4660

Redhat

Severity : Important

Publid Date: 2026-04-09T13:47:46Z

Links: CVE-2026-4660 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-13T13:06:55Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object