Skip to main content

Tooling CVE-2026-4660

| EUVDEUVD-2026-20894 HIGH
Information Exposure (CWE-200)
2026-04-09 HashiCorp GHSA-92mm-2pjq-r785
7.5
CVSS 3.1 · Vendor: HashiCorp
Share

Severity by source

Vendor (HashiCorp) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (HashiCorp).

CVSS VectorVendor: HashiCorp

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 14:15 euvd
EUVD-2026-20894
Analysis Generated
Apr 09, 2026 - 14:15 vuln.today
CVE Published
Apr 09, 2026 - 13:47 nvd
HIGH 7.5

DescriptionCVE.org

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

AnalysisAI

Arbitrary file read vulnerability in HashiCorp go-getter library versions up to 1.8.5 enables unauthenticated remote attackers to access sensitive files from the target filesystem through specially crafted git operation URLs. The vulnerability permits confidentiality breach without authentication requirements, affecting network-accessible services utilizing the library for repository cloning or fetching operations. Fixed in version 1.8.6; go-getter/v2 branch unaffected. No public exploit identified at time of analysis.

Technical ContextAI

Path traversal flaw (CWE-200) in git URL processing logic permits file system access beyond intended repository boundaries. Malicious URL parameters during git clone/fetch operations bypass input sanitization, enabling read access to arbitrary files accessible to the application process. Root cause stems from insufficient validation of user-supplied git references before filesystem operations.

RemediationAI

Vendor-released patch: upgrade go-getter library to version 1.8.6 or later immediately. Update Go module dependencies via 'go get -u github.com/hashicorp/go-getter@v1.8.6' and verify go.mod reflects patched version. For applications unable to upgrade immediately, migrate to go-getter/v2 branch which is not affected by this vulnerability. Organizations should audit all projects for go-getter dependencies and prioritize updates for internet-facing services. Detailed vendor security bulletin available at https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311. No effective workaround exists for v1 branch without upgrading; restrict network access to services using vulnerable versions until patched.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP5 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP6 Affected
openSUSE Leap 15.5 Affected
openSUSE Leap 15.6 Affected

Share

CVE-2026-4660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy