CVE-2026-4660
Arbitrary File Read in HashiCorp go-getter ≤ v
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | go-getter | to 1.8.6 (exc) |
| hashicorp | go-getter | 1.8.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4660 is a vulnerability in HashiCorp's go-getter library versions up to 1.8.5 that allows an attacker to read arbitrary files on the host filesystem during certain Git operations.
The issue occurs when a Git URL without an explicit Git reference is used. The go-getter library tries to determine the remote repository's HEAD reference by passing arguments to the Git binary on the host system.
An attacker can exploit this by crafting a malicious Git URL that injects additional Git arguments during checkout operations, which leads to arbitrary file reads on the host filesystem.
This vulnerability is fixed in go-getter version 1.8.6 and does not affect the go-getter/v2 branch.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to read arbitrary files on your system without any privileges or user interaction.
Such unauthorized file reads can expose sensitive information stored on the filesystem, potentially leading to data leaks or further exploitation.
Because the vulnerability can be exploited remotely via crafted Git URLs, it poses a significant security risk to systems using vulnerable versions of the go-getter library.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying usage of the go-getter library versions up to 1.8.5 in your environment, especially if it performs Git operations using URLs without explicit Git references.
Since the vulnerability involves injection of additional Git arguments during checkout operations, monitoring or logging Git commands executed by go-getter could help detect suspicious activity.
Specifically, you can check the version of go-getter in use and audit Git commands invoked by it for unusual arguments or unexpected file reads.
- Check go-getter version: Inspect your dependencies or binaries to confirm if go-getter version is 1.8.5 or earlier.
- Monitor Git commands: Use system auditing tools or command history to detect Git commands with unusual arguments possibly injected by malicious URLs.
- Example command to check go-getter version if available: `go list -m github.com/hashicorp/go-getter` or check your dependency manifest files.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the go-getter library to version 1.8.6 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, avoid using go-getter with Git URLs that do not specify explicit Git references, as this triggers the vulnerable code path.
Additionally, consider restricting or monitoring Git operations initiated by go-getter to detect or prevent exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in HashiCorp's go-getter library (CVE-2026-4660) affects compliance with common standards and regulations such as GDPR or HIPAA.