CVE-2026-4660
Received Received - Intake
Arbitrary File Read in HashiCorp go-getter ≤ v

Publication date: 2026-04-09

Last updated on: 2026-04-09

Assigner: HashiCorp Inc.

Description
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4660
EUVD
EUVD-2026-20894
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
hashicorp go-getter to 1.8.6 (exc)
hashicorp go-getter 1.8.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4660 is a vulnerability in HashiCorp's go-getter library versions up to 1.8.5 that allows an attacker to read arbitrary files on the host filesystem during certain Git operations.

The issue occurs when a Git URL without an explicit Git reference is used. The go-getter library tries to determine the remote repository's HEAD reference by passing arguments to the Git binary on the host system.

An attacker can exploit this by crafting a malicious Git URL that injects additional Git arguments during checkout operations, which leads to arbitrary file reads on the host filesystem.

This vulnerability is fixed in go-getter version 1.8.6 and does not affect the go-getter/v2 branch.

Impact Analysis

This vulnerability can allow an attacker to read arbitrary files on your system without any privileges or user interaction.

Such unauthorized file reads can expose sensitive information stored on the filesystem, potentially leading to data leaks or further exploitation.

Because the vulnerability can be exploited remotely via crafted Git URLs, it poses a significant security risk to systems using vulnerable versions of the go-getter library.

Detection Guidance

This vulnerability can be detected by identifying usage of the go-getter library versions up to 1.8.5 in your environment, especially if it performs Git operations using URLs without explicit Git references.

Since the vulnerability involves injection of additional Git arguments during checkout operations, monitoring or logging Git commands executed by go-getter could help detect suspicious activity.

Specifically, you can check the version of go-getter in use and audit Git commands invoked by it for unusual arguments or unexpected file reads.

  • Check go-getter version: Inspect your dependencies or binaries to confirm if go-getter version is 1.8.5 or earlier.
  • Monitor Git commands: Use system auditing tools or command history to detect Git commands with unusual arguments possibly injected by malicious URLs.
  • Example command to check go-getter version if available: `go list -m github.com/hashicorp/go-getter` or check your dependency manifest files.
Mitigation Strategies

The primary mitigation step is to upgrade the go-getter library to version 1.8.6 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, avoid using go-getter with Git URLs that do not specify explicit Git references, as this triggers the vulnerable code path.

Additionally, consider restricting or monitoring Git operations initiated by go-getter to detect or prevent exploitation attempts.

Compliance Impact

The provided information does not specify how the vulnerability in HashiCorp's go-getter library (CVE-2026-4660) affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart