← Back
2026-04-09 13:47CVE-2026-4660HashiCorp
PUBLISHED5.2CWE-200

Go-getter may allow to arbitrary filesystem reads through git operations

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Problem type

Affected products

HashiCorp

Tooling

< 1.8.6 - AFFECTED

References

discuss.hashicorp.com

https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-4660
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-4660",
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "dateUpdated": "2026-04-09T13:47:46.953Z",
    "dateReserved": "2026-03-23T16:07:20.700Z",
    "datePublished": "2026-04-09T13:47:46.953Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp",
        "dateUpdated": "2026-04-09T13:47:46.953Z"
      },
      "title": "Go-getter may allow to arbitrary filesystem reads through git operations",
      "descriptions": [
        {
          "lang": "en",
          "value": "HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.</p><br/>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "HashiCorp",
          "product": "Tooling",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "repo": "https://github.com/hashicorp/go-getter",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "1.8.6"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "cweId": "CWE-200",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-6",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-6: Argument Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "baseScore": 7.5,
            "baseSeverity": "HIGH"
          }
        }
      ]
    }
  }
}